Replace instances of innerHTML with Node.cloneNode() #954

gorhill · Mar 6, 2015

As per Mozilla's preliminary review.

Deathamns · Mar 6, 2015

They're referring to this, but that goes through this sanitizer.
The first version I've sent contained an innerHTML assignment, and since it was plain text, I asked if that could be accepted, and probably this response for that request.
I guess the reviewer thought that I was talking about the code in 3p-filters.js, because the real innerHTML assignment was removed in the meantime (element-picker.js), so he couldn't see it.
So, there's nothing to do here, since we only read innerHTML (which is safe).

gorhill · Mar 6, 2015

I think I should change it anyway, if only for easier maintenance. That code dates from the early days of HTTPSB. Cloning from a hidden template element in the HTML seems to be a better way to do this.

Deathamns · Mar 6, 2015

Sure.

gorhill · Mar 8, 2015

Actually, there is another non-trivial use (and thus "inefficient" as per AMO reviewer) of innerHTML in dyna-rules.html.

For trivial uses, I will leave them unchanged, since they are sanitized through vAPI.insertHTML.

gorhill referenced this issue Mar 8, 2015
Closed
3rd-party filter list update: show status/progress indications in UI #965

gorhill added a commit that closed this issue Mar 8, 2015

gorhill this fixes #954 3544989

gorhill closed this in 3544989 Mar 8, 2015

gorhill reopened this Mar 8, 2015

gorhill added a commit that referenced this issue Mar 9, 2015

gorhill this completes fix of #954 5a2f6e0

gorhill closed this Mar 9, 2015

chrisaljoudi/uBlock

Replace instances of innerHTML with Node.cloneNode() #954

Labels

Milestone

Assignee

2 participants

3rd-party filter list update: show status/progress indications in UI #965