Would it be very difficult to warn when something is sanitized and removed?

I wasted a good deal of time trying to figure out why
createContextualFragment wasn't working.

On Fri, Feb 2, 2018 at 2:10 AM, Gijs Kruitbosch <gijskruitbo...@gmail.com>

> FWIW, if you're running into this with the usecase "I have a localized
> string that needs to have links (or other markup) in it" and were formerly
> using getFormattedString combined with innerHTML, we now have a utility
> method that can help a little bit. Rather than hand-rolling splitting the
> string etc., on nightly you can use BrowserUtils.getLocalizedFragment as
> a replacement. Given a document, raw string (fetch using getString /
> GetStringFromName instead of the "formatted" APIs), and DOM nodes to
> insert, it'll produce a DocumentFragment that you can
> appendChild/insertBefore etc., take care of splitting your strings for you,
> and will work with both indexed (%1$S) and non-indexed (%S) replacement
> points in the localized string. In the further future, I expect this type
> of problem will go away entirely because of Fluent.
> ~ Gijs
> On 02/02/2018 07:13, Kris Maglione wrote:
>> As of bug 1432966, any HTML injected into chrome-privileged documents[1]
>> is automatically sanitized to remove any possibility of script execution.
>> The sanitization is whitelist-based, and only allows a limited set of HTML
>> elements and attributes. All scripts, XUL nodes, or privileged URLs will
>> automatically be removed. This change has been uplifted all the way to 58
>> release.
>> If you're thinking about writing new code that injects HTML strings into
>> chrome-privileged documents, please think again. Unless it's extremely
>> simple, it probably won't be compatible with these changes (and will also
>> be rejected by our default ESLint rules).
>> Existing HTML injection in chrome documents is being gradually removed.
>> Once that's done, the sanitization may be replaced with an outright
>> prohibition.
>> -Kris
>> [1]: Using the usual HTML fragment creation methods such as `innerHTML`,
>> `outerHTML`, `insertAdjacentHTML`, and `createContextualFragment`. Not,
>> notably, when using document.write().
>> _______________________________________________
>> firefox-dev mailing list
>> firefox-...@mozilla.org
>> https://mail.mozilla.org/listinfo/firefox-dev
> _______________________________________________
> firefox-dev mailing list
> firefox-...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
dev-platform mailing list

Reply via email to