33
edits
User:Clouserw/AMO/Validator:v2: Difference between revisions
Jump to navigation
Jump to search
→Idea List
m (→Idea List) |
|||
| Line 40: | Line 40: | ||
* I would flag everything and only filter in the UI. | * I would flag everything and only filter in the UI. | ||
** As a result, it might be good to use some structured output from the validate script (also maybe more easily extendable by unit tests?). Maybe just use the XUnit output format. | ** As a result, it might be good to use some structured output from the validate script (also maybe more easily extendable by unit tests?). Maybe just use the XUnit output format. | ||
'''Nils suggests:''' | |||
* Make it a priority to support a web-validator. A downloadable standalone tool is nice to have but not really required. A web-validator has to be set up by people who know their stuff (only once), while a standalone tool would require regular folks to set up stuff. | |||
* Instead of a python-standalone consider a toolkit XPI extension. This would make it easier for folks to use it and additionally jshydra can be shipped with it as a binary component. | |||
* Add "error" severity. AMO shouldn't accept uploads having errors. | |||
* All Javascript verification tests should be migrated from regexps to jshydra. E.g. /eval/ to JSOP_CALL/TOK_NAME(eval). | |||
** Make it easier to write jshydra tests, by implementing some sort of query language (e.g. ASTQuery similar to XQuery for DOM) | |||
* [error] Verify all locales are "complete". See [https://developer.mozilla.org/en/Compare-locales Compare-locales]. Incomplete locales should be regarded as an "error", as all users using that locale would see yellow-screen-of-xml-error or missing information/errors in case of string bundles. Locale errors often go unnoticed during development and reviews as usually only particular locales are affected. Often DTD/properties have the wrong encoding hence failing to load. | |||
* [error] Check XUL/XML for parsing errors. With all those chrome:-URLs (DTDs) it might be tricky to do so. | |||
* [error] Check for any remote (https?|ftp) script sources in XUL | |||
* [warn] Check global symbols in overlays only. See [http://tn123.ath.cx/pollution/ checkpollutions prototype] (python + jsyhydra + jsyhdra patches + jsyhdra script patches) | |||
* [error] Blocklist certain global symbols, see [http://tn123.ath.cx/pollution/ checkpollutions prototype] for a sample list. | |||
* [warn] base64 encoding should use atob/btoa() instead of own implementation (check for b64/base64 and variations in symbols and/or file names) | |||
* [warn] md5/sha-1/sha2* should use nsICryptoHash. | |||
* [warn] Dynamically creating of any xul:script/html:script tags. These should draw special attention by reviewers. | |||
* [warn] Use xul:prefwindow. This can be checked by looking at the resource behind optionsURL. | |||
* [error] Instead of just white-listing particular libraries (and versions) support blacklisting those with known defects or which heavily pollute the global namespace. | |||
* [warn] Check for uneval(), as this is likely used as an insecure replacement for JSON.stringify. | |||