Add warnings for unsafe template escape sequences

RESOLVED FIXED in 2015-02

Status

addons.mozilla.org Graveyard
Add-on Validation
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: kmag, Assigned: kmag)

Tracking

(Blocks: 1 bug)

unspecified
2015-02

Details

(Whiteboard: [ReviewTeam:P1])

(Assignee)

Description

4 years ago
We should warn on uses of non-HTML-escaping template escape sequences for common template libraries.

• `<%=` should warn that `<%-` should generally be used instead, and adequate escaping must be ensured otherwise.
• `{{{` should warn that `{{` should generally be used instead, and adequate escaping must be ensured otherwise.

These warnings should be emitted any time those strings appear in JavaScript strings or HTML files.

Additionally, the use of the `Handlebars.SafeString` method should cause some kind of warning about not using it with unsafe remote content to be emitted.
(Assignee)

Updated

4 years ago
Whiteboard: [ReviewTeam] → [ReviewTeam:P1]
(Assignee)

Updated

4 years ago
Assignee: nobody → kmaglione+bmo
(Assignee)

Updated

4 years ago
Target Milestone: --- → 2015-02
(Assignee)

Updated

3 years ago
Blocks: 1175332
PR 262 was merged in https://github.com/mozilla/amo-validator/commit/f2314d8aa0bde352308802439306f9c67a117da8, anything missing for this bug to be marked as fixed?
Flags: needinfo?(kmaglione+bmo)
(Assignee)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(kmaglione+bmo)
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.