Closed
Bug 1211384
Opened 9 years ago
Closed 7 years ago
Tracking violations of the Eslint no-unsafe-innerhtml rule
Categories
(Firefox OS Graveyard :: Gaia, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: freddy, Assigned: freddy)
References
Details
(Keywords: meta, sec-want)
This tracks all bugs which offend our eslint test. If you need help fixing the eslint violation, please discuss this in your own bug. You can get security input by flagging fxos@security.bugs for needinfo? of sec-review?. Fixing the bug: Instead of supplying variables or strings and variables to innerHTML/outerHTML/insertAdjacentHTML, we recommend escaping inputs properly. This can be done by creating a safe HTML object that can distinguish the HTML string from its input: > var safeHTML = Sanitizer.createSafeHTML`<p>Hello ${username}</p>`; The object is a normal JS object and can be stored in a cache, retrieved and send around. The object can be unwrapped for use with innerHTML in the following way: > domNode.innerHTML = Sanitizer.unwrapSafeHTML(htmlObj); If you intend to do both of these tasks in the same line of code, you can use escapeHTML: > domNode.innerHTML = Sanitizer.escapeHTML`<p>Hello ${username}</p>`; For more documentation, take a look at https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation Discussions about the Sanitizer library or the Eslint rule belong in their own bug, please keep this tracking bug free from comments.
|
Assignee | |
Updated•9 years ago
|
|
|
Assignee | |
Comment 1•7 years ago
|
||
I will stop tracking the bugs and this bug is unassigned. Closing WONTFIX.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•