Closed
Bug 1450315
Opened 7 years ago
Closed 7 years ago
Remove document.allowUnsafeHTML
Categories
(Core :: DOM: Core & HTML, enhancement, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | fixed |
People
(Reporter: johannh, Assigned: johannh)
References
Details
Attachments
(1 file)
Bug 1434155 seems to have removed the last consumer of this, so I think we can get rid of it again!
https://searchfox.org/mozilla-central/search?q=allowUnsafeHTML&case=false®exp=false&path=
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 2•7 years ago
|
||
|
||
Comment 3•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8964099 [details]
Bug 1450315 - Remove document.allowUnsafeHTML.
https://reviewboard.mozilla.org/r/232890/#review238564
r=me. Thank you!
::: dom/base/nsContentUtils.cpp:5092
(Diff revision 1)
>
> // If this is a chrome-privileged document, create a fragment first, and
> // sanitize it before insertion.
> RefPtr<DocumentFragment> fragment;
> - if (aSanitize != NeverSanitize && !aTargetNode->OwnerDoc()->AllowUnsafeHTML()) {
> + if (aSanitize != NeverSanitize &&
> + IsSystemPrincipal(aTargetNode->OwnerDoc()->NodePrincipal())) {
Just aTargetNode->NodePrincipal()
Attachment #8964099 -
Flags: review?(bzbarsky) → review+
| Comment hidden (mozreview-request) |
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/76f66b8cea93
Remove document.allowUnsafeHTML. r=bz
|
||
Comment 6•7 years ago
|
||
Hmm, we're using this in TB and also JQuery uses .innerHTML = "..." which is in turn used in add-ons :-(
We can replace the use of .innerHTML, but JQuery won't. For example see:
https://github.com/micz/ThunderStats/commit/75452e94cfc5211e10982a15ada9f8769ea3816a
|
|
Assignee | |
Comment 7•7 years ago
|
||
(In reply to Jorg K (GMT+1) from comment #6)
> Hmm, we're using this in TB and also JQuery uses .innerHTML = "..." which is
> in turn used in add-ons :-(
> We can replace the use of .innerHTML, but JQuery won't. For example see:
> https://github.com/micz/ThunderStats/commit/
> 75452e94cfc5211e10982a15ada9f8769ea3816a
I'm happy to help fix up Thunderbird itself in bug 1433871 but we do not give any guarantees to old-style privileged add-ons anymore, even if they are still supported in Thunderbird (especially for such a security sensitive matter). Sorry for that.
|
||
Comment 8•7 years ago
|
||
Solution: Don't use jQuery in chrome contexts. Especially, do not use jQuery to inject HTML strings into chrome contexts.
You can, of course, get around this by replacing Element.prototype.innerHTML. But that is a terrible idea.
|
||
Comment 9•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•