Changes

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using <code>eval()</code>, <code>Function()</code>, <code>setTimeout()</code>, or <code>setInterval()</code> to evaluate JS code.

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | <code>eval</code> may sometimes be allowed when it is used carefully to patch Firefox functions with local code. |- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using <code>setTimeout()</code>, or <code>setInterval()</code> to evaluate JS code.| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | <code>setTimeout</code> and <code>setInterval</code> may be used with hardcoded JS strings, but using closures is preferred. Only reject if it looks like remote code is being evaluated.

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Inserting remote content with <code>innerHTML</code>.| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject Add note| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject if it's clear from the sources that the code being injected is remote and unsanitized. The canned response points to the [https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion preferred documentation] about this topic. Assignments to <code>innerHTML</code> will result in the execution of any JavaScript code present in the injected string, so it needs to be very clear that any such strings are safe and sane. The documentation offers various methods of ensuring this. Since this issue can often be confusing to developers, make sure to include a reference to a code file and line where this occurs.