I don't think these rewrites fit the definition of a good first bug.

I'm all for working with volunteers on this, since these are good
isolated, non-time-sensitive projects to tackle, but I can't think of an
innerHTML example in our codebase that matches the low difficulty we
usually apply to good-first-bugs (some of them are indeed very hard to
do without innerHTML, which is why it's there in the first place). I'd
be happy if someone can prove me wrong about this, though.

Thank you Kris for the great work, let's get rid of innerHTML once and
for all!


Frederik Braun wrote:
> Now would be a great time to file good first bugs.
> New contributors could rewrite innerHTML and friends into code that uses
> safer alternatives.
> On 02.02.2018 08:13, Kris Maglione wrote:
>> As of bug 1432966, any HTML injected into chrome-privileged documents[1]
>> is automatically sanitized to remove any possibility of script
>> execution. The sanitization is whitelist-based, and only allows a
>> limited set of HTML elements and attributes. All scripts, XUL nodes, or
>> privileged URLs will automatically be removed. This change has been
>> uplifted all the way to 58 release.
>> If you're thinking about writing new code that injects HTML strings into
>> chrome-privileged documents, please think again. Unless it's extremely
>> simple, it probably won't be compatible with these changes (and will
>> also be rejected by our default ESLint rules).
>> Existing HTML injection in chrome documents is being gradually removed.
>> Once that's done, the sanitization may be replaced with an outright
>> prohibition.
>> -Kris
>> [1]: Using the usual HTML fragment creation methods such as `innerHTML`,
>> `outerHTML`, `insertAdjacentHTML`, and `createContextualFragment`. Not,
>> notably, when using document.write().
>> _______________________________________________
>> dev-platform mailing list
>> dev-platform@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
> _______________________________________________
> firefox-dev mailing list
> firefox-...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
dev-platform mailing list

Reply via email to