Uploaded image for project: 'Browser Developer Extensions'
  1. Browser Developer Extensions
  2. BDE-140

Use recommended libraries for HTML sanitization

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 2.1.1
    • Fix Version/s: 2.2.0
    • Component/s: Base Code
    • Release Notes Summary:
      Use recommended libraries for HTML sanitization (Mozilla Review)
    • Tags:
    • Sprint:
      FTEST - W16
    • Epic Link:

      Description

      As per Mozilla's request:

      2) Please use an established library for sanitize when creating DOM elements using external data. You can use DOMPurify, see accepted versions here: https://github.com/mozilla/amo-validator/blob/master/validator/testcases/hashes-allowed.txt

      • scripts/about.js line 3
      • scripts/popup.js line 40
      • scripts/popup.js line 45

      6) You are using a function that sanitizes HTML to sanitize javascript, e.g. at data/js/content_scripts/Article.js line 2314. _pageNr may be valid and sanitized HTML, but still allow escaping the intended use in the script tag.
      innerHTML with HTML Escaping: This method is a last resort which should be used only as a temporary measure in established code bases. It is safe, though inefficient, to assign dynamic values to innerHTML if any dynamic content in the value is escaped with the following function: https://developer.mozilla.org/en-US/docs/Archive/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion

      This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion . Here are some examples that were discovered:

      scripts/popup.js line 242
      popup-vendor.js line 11649
      json-vendor.js line 11649
      about-vendor.js line 9436
      options-vendor.js line 9436, 11649
      A suggestion for the next version:
      a) Please use node.textContent instead of innerHTML for assigning text information to a DOM node or if you need to create new DOM nodes use document.createElement() and NODE.appendChild() functions. Usually usage of innerHTML is not permitted in add-ons because innerHTML is a major security risk when used with data from external sources.
      For more information, see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion
      For inserting text, textContent (or JQuery text) or createTextNode() should be used instead of innerHTML.
      For inserting HTML, the safer method is to use createElement(), textContent, appendChild() instead of innerHTML.
      b) Please use an established library for sanitize when creating DOM elements using external data. You can use DOMPurify, see accepted versions here: https://github.com/mozilla/amo-validator/blob/master/validator/testcases/hashes-allowed.txt

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours
                6h