My bad! This is certainly a bug in the linter.
The fix is underway.
On 09.02.2018 12:35, Gijs Kruitbosch wrote:
> Sorry about the waste of time. :-(
>
> Re: difficulty: it depends on your measure of 'very'. Internally the
> sanitization is whitelist-based. It is used in many places (not just for
Sorry about the waste of time. :-(
Re: difficulty: it depends on your measure of 'very'. Internally the
sanitization is whitelist-based. It is used in many places (not just for
chrome-privileged docs), where it would be wrong to show warnings
(possibly very *many* warnings!). It may be possibl
On Friday, February 2, 2018 at 2:11:02 AM UTC-8, Gijs Kruitbosch wrote:
> In the further future, I expect this type of problem will go away
> entirely because of Fluent.
That's correct! Fluent brings the concept of DOM Overlays which allow for safe
mixing between developer provided DOM fragmen
Would it be very difficult to warn when something is sanitized and removed?
I wasted a good deal of time trying to figure out why
createContextualFragment wasn't working.
On Fri, Feb 2, 2018 at 2:10 AM, Gijs Kruitbosch
wrote:
> FWIW, if you're running into this with the usecase "I have a locali
FWIW, if you're running into this with the usecase "I have a localized
string that needs to have links (or other markup) in it" and were
formerly using getFormattedString combined with innerHTML, we now have a
utility method that can help a little bit. Rather than hand-rolling
splitting the str
I don't think these rewrites fit the definition of a good first bug.
I'm all for working with volunteers on this, since these are good
isolated, non-time-sensitive projects to tackle, but I can't think of an
innerHTML example in our codebase that matches the low difficulty we
usually apply to good
Now would be a great time to file good first bugs.
New contributors could rewrite innerHTML and friends into code that uses
safer alternatives.
On 02.02.2018 08:13, Kris Maglione wrote:
> As of bug 1432966, any HTML injected into chrome-privileged documents[1]
> is automatically sanitized to re
As of bug 1432966, any HTML injected into chrome-privileged documents[1] is
automatically sanitized to remove any possibility of script execution. The
sanitization is whitelist-based, and only allows a limited set of HTML
elements and attributes. All scripts, XUL nodes, or privileged URLs will
8 matches
Mail list logo
