0

In a recent review by the AMO editors, my Thunderbird addon's version was rejected because it "creates HTML from strings containing unsanitized data" - which "is a major security risk".

I think I understand why. Now, my problem is about how to solve that issue.

This thread gave me some clues, but it's not quite what I need.

My addon needs to paste the contents of the clipboard as a hyperlink, by using the clipboard contents as the link text, and inserting html around it like this: `" + clipboardtext + "".

Now, if I am inserting the clipboard contents as HTML, I need to "sanitize" it first. Here is what I came up with. Now, I haven't written in the regex part yet, because I don't think this is the best way to do this, although I think it will work:

function makeSafeHTML(whathtml){
    var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
    var sanitizedHTML = parser.sanitize(whathtml, 01);

    //now remove the extratags added by the sanitization method, perhaps via regex
    //"<html><head></head><body>"
    //"</body></html>"

    return sanitizedHTML;
}

My intent is to do this with the resulting "sanitized" string - this will paste the string as the href value of a hyperlink:

var html_editor = editor.QueryInterface(Components.interfaces.nsIHTMLEditor);
html_editor.insertHTML("<a href='"+whathref+"'>"+whattext+"</a>");

So I am looking for a better way to get sanitized HTML into a simple string variable. Would any of you do it this way?

Community
  • 1
  • 1
bgmCoder
  • 6,205
  • 8
  • 58
  • 105

1 Answers1

1

It seems that you simply want to insert clipboard contents into HTML code as pure text - you don't need any complicated escaping approach then, it's enough to make sure all "dangerous" characters are replaced by HTML entities:

var sanitizedText = text.replace(/&/g, "&amp;").replace(/</g, "&lt;")
                        .replace(/>/g, "&gt;").replace(/"/g, "&quot;");

It's not clear from your question what you do with the generated HTML code. If you add it to a DOM document via something like innerHTML then you can do better - add the HTML code first and manipulate the text in the document then:

document.getElementById("text-container").textContent = text;

Using Node.textContent to set text in a document is always safe, no escaping needs to be performed.

Wladimir Palant
  • 56,865
  • 12
  • 98
  • 126
  • Thanks, Wladimir. I added the code I intend to use for inserting the html. The thing here is that I am not using any handle to a dom node. So you think your replacement scheme is better than using the `sanitize` method? – bgmCoder May 28 '13 at 14:15
  • @BGM: If all you need is insert some text - sure that's better. The `sanitize` method is meant for actual HTML code that you got from an untrusted source - it's clearly overdimentioned here. – Wladimir Palant May 29 '13 at 07:11
  • Thanks, Wladimir (you've been helpful to me before, too, in fact) - I added the snippet and re-submitted my addon. If you are interested, it is here: https://addons.mozilla.org/thunderbird/addon/406802 - but the new version will be 1.4.4 when it gets approved. – bgmCoder May 29 '13 at 13:51