Canmove, confirm
1,448
edits
Changes
Some wording adjustments
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using <code>setTimeout()</code>, <code>setInterval()</code>, or properties like <code>onclick</code> to evaluate JS code.
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | They may be used with hardcoded JS strings, but using closures is preferred. Only reject if it looks like 's clear from the surrounding code that remote code is being evaluated.
|- style="vertical-align: top;"
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Remote script injection.
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Inserting content with <code>innerHTML</code>.
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject if it's clear from the sources surrounding code that the code being injected is remote and unsanitized. The canned response points to the [https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion preferred documentation] about this topic. Assignments to <code>innerHTML</code> will result in the execution of any JavaScript code present in the injected string. Since this issue can often be confusing to developers, make sure to include a reference to a code file and line where this occurs.
|- style="vertical-align: top;"
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using DOM Mutation events.
