The progress is tracked in bug 1155131

Background

XSS is still the bane of every JavaScript project. With B2G, XSS can be much scarier than a popup or steeling a login session See this bug for more. We want to help our engineers getting their job done, but we also want to enable them doing it more securely.

The idea is to use our automation as well as some libraries to improve the security of the Gaia code base.

Disallowing innerHTML

• TODO: Find out how to customize our linter/hinter tools to disallow while allowing empty strings (or maybe even variables as "const")

tagged.js

The tagged.js library can help escaping HTML and would become our central point of control for all kinds of HTML templating. This also helps improving general security over time, without touching each and every individual app!

The library uses template strings and is used as follows:

 var title; // from untrusted user input, e.g. "foo"
 var text;  // dito, e.g. <img src='x' onerror='alert(1)'/>
 foo.innerHTML = tagged`<a href="more.html" title="${title}">${text}</a>"
 // assigns: <a href="more.html" title="foo">&lt;img src='x' onerror='alert(1)'/&gt;</a>

Fortunately, the JS feature template strings allows us to see which portion of the HTML is in the source code and which comes from a user. Treating them differently is key to our solution!