FWIW, if you're running into this with the usecase "I have a localized
string that needs to have links (or other markup) in it" and were
formerly using getFormattedString combined with innerHTML, we now have a
utility method that can help a little bit. Rather than hand-rolling
splitting the string etc., on nightly you can use
BrowserUtils.getLocalizedFragment as a replacement. Given a document,
raw string (fetch using getString / GetStringFromName instead of the
"formatted" APIs), and DOM nodes to insert, it'll produce a
DocumentFragment that you can appendChild/insertBefore etc., take care
of splitting your strings for you, and will work with both indexed
(%1$S) and non-indexed (%S) replacement points in the localized string.
In the further future, I expect this type of problem will go away
entirely because of Fluent.
On 02/02/2018 07:13, Kris Maglione wrote:
As of bug 1432966, any HTML injected into chrome-privileged
documents is automatically sanitized to remove any possibility of
script execution. The sanitization is whitelist-based, and only allows
a limited set of HTML elements and attributes. All scripts, XUL nodes,
or privileged URLs will automatically be removed. This change has been
uplifted all the way to 58 release.
If you're thinking about writing new code that injects HTML strings
into chrome-privileged documents, please think again. Unless it's
extremely simple, it probably won't be compatible with these changes
(and will also be rejected by our default ESLint rules).
Existing HTML injection in chrome documents is being gradually
removed. Once that's done, the sanitization may be replaced with an
: Using the usual HTML fragment creation methods such as
`innerHTML`, `outerHTML`, `insertAdjacentHTML`, and
`createContextualFragment`. Not, notably, when using document.write().
firefox-dev mailing list
dev-platform mailing list