科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Best way to purge innerHTML from a Firefox Extension - Stack Overflow

    javascript - Best way to purge innerHTML from a Firefox Extension - Stack Overflow

    programmeradmin0浏览0评论

    I'm running web-ext lint and getting back a few errors like this:

    UNSAFE_VAR_ASSIGNMENT

    Unsafe assignment to innerHTML

    Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized. This can lead to security issues or fairly serious performance degradation.

    The code in question is basically doing:

    var html = '<style>body { margin: 0; } iframe { border: none; }' +
           '</style><iframe src="' + URL.createObjectURL(blob) +
           '" width="100%" height="100%"></iframe>';
document.documentElement.innerHTML = html;

    I'm not a big JS dev, so I understand the security vulnerability here, but I don't really know what the best solution is to make AMO and the linter happy. I suppose I need to convert the string above into a bunch of mands to make a node instead?

    I'm running web-ext lint and getting back a few errors like this:

    UNSAFE_VAR_ASSIGNMENT

    Unsafe assignment to innerHTML

    Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized. This can lead to security issues or fairly serious performance degradation.

    The code in question is basically doing:

    var html = '<style>body { margin: 0; } iframe { border: none; }' +
           '</style><iframe src="' + URL.createObjectURL(blob) +
           '" width="100%" height="100%"></iframe>';
document.documentElement.innerHTML = html;

    I'm not a big JS dev, so I understand the security vulnerability here, but I don't really know what the best solution is to make AMO and the linter happy. I suppose I need to convert the string above into a bunch of mands to make a node instead?

    • javascript
    • jquery
    • firefox-addon-webextensions
    Share Improve this question edited Jun 20, 2020 at 9:12 CommunityBot 11 silver badge asked Aug 8, 2017 at 23:20 mlissnermlissner 18.2k18 gold badges121 silver badges176 bronze badges
    Add a ment  | 

    1 Answer 1

    Reset to default 6

    Yes, that would be safer. For the example above it would be

    var css = 'body { margin: 0; } iframe { border: none; }';
var style = document.createElement('style');
style.appendChild(document.createTextNode(css));
document.body.appendChild(style);

var frame = document.createElement('iframe');
frame.width = "100%";
frame.height = "100%";
frame.src = URL.createObjectURL(blob);
document.body.appendChild(frame);

    To clear the document body prior there are several methods, see Remove all content using pure JS.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论