canmove, Confirmed users
1,448
edits
Add-ons/Reviewers/Guide/Reviewing: Difference between revisions
Jump to navigation
Jump to search
Add-ons/Reviewers/Guide/Reviewing (view source)
Revision as of 17:06, 6 January 2016
, 6 January 2016Some wording adjustments
(Added on* event note) |
(Some wording adjustments) |
||
| Line 93: | Line 93: | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using <code>setTimeout()</code>, <code>setInterval()</code>, or properties like <code>onclick</code> to evaluate JS code. | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using <code>setTimeout()</code>, <code>setInterval()</code>, or properties like <code>onclick</code> to evaluate JS code. | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | They may be used with hardcoded JS strings, but using closures is preferred. Only reject if it | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | They may be used with hardcoded JS strings, but using closures is preferred. Only reject if it's clear from the surrounding code that remote code is being evaluated. | ||
|- style="vertical-align: top;" | |- style="vertical-align: top;" | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Remote script injection. | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Remote script injection. | ||
| Line 105: | Line 105: | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Inserting content with <code>innerHTML</code>. | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Inserting content with <code>innerHTML</code>. | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject if it's clear from the | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject if it's clear from the surrounding code that the code being injected is remote and unsanitized. The canned response points to the [https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion preferred documentation] about this topic. Assignments to <code>innerHTML</code> will result in the execution of any JavaScript code present in the injected string. Since this issue can often be confusing to developers, make sure to include a reference to a code file and line where this occurs. | ||
|- style="vertical-align: top;" | |- style="vertical-align: top;" | ||
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using DOM Mutation events. | | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using DOM Mutation events. | ||