Now would be a great time to file good first bugs.

New contributors could rewrite innerHTML and friends into code that uses
safer alternatives.

On 02.02.2018 08:13, Kris Maglione wrote:
> As of bug 1432966, any HTML injected into chrome-privileged documents[1]
> is automatically sanitized to remove any possibility of script
> execution. The sanitization is whitelist-based, and only allows a
> limited set of HTML elements and attributes. All scripts, XUL nodes, or
> privileged URLs will automatically be removed. This change has been
> uplifted all the way to 58 release.
> If you're thinking about writing new code that injects HTML strings into
> chrome-privileged documents, please think again. Unless it's extremely
> simple, it probably won't be compatible with these changes (and will
> also be rejected by our default ESLint rules).
> Existing HTML injection in chrome documents is being gradually removed.
> Once that's done, the sanitization may be replaced with an outright
> prohibition.
> -Kris
> [1]: Using the usual HTML fragment creation methods such as `innerHTML`,
> `outerHTML`, `insertAdjacentHTML`, and `createContextualFragment`. Not,
> notably, when using document.write().
> _______________________________________________
> dev-platform mailing list
dev-platform mailing list

Reply via email to