Unsafe assignment to innerHTML

Question

I was trying to get an add on for Firefox signed by Mozilla so I could use it on the stable version of firefox and I'm getting this validation issue.

Can someone help me understand what it is?

Unsafe assignment to innerHTML

Warning: Due to both security and performance concerns, 
    this may not be set using dynamic values which have not been adequately sanitized. 
    This can lead to security issues or fairly serious performance degradation.
    datetime.js line 4 column 5

function updateClock(){
    var doc=window.content.document
    var dt = new Date();
    doc.getElementById("datetime").innerHTML = dt.toLocaleTimeString();
}

setInterval(updateClock, 0);

Does this answer your question? [Best way to purge innerHTML from a Firefox Extension](https://stackoverflow.com/questions/45579400/best-way-to-purge-innerhtml-from-a-firefox-extension) — Álvaro Tihanyi, Dec 25 '20 at 12:06
`toLocaleTimeString()` doesn't return HTML so I don't think you even want to modify HTML tags. You possibly want to modify the text contents of an existing node. — Álvaro González, Dec 25 '20 at 12:22

score 5 · Accepted Answer · answered Dec 25 '20 at 13:57

5

dt.toLocateTimeString() return a String instead of HTML. Instead of, use innerText or textContent:

doc.getElementById("datetime").innerText = dt.toLocaleTimeString();
doc.getElementById("datetime").textContent = dt.toLocaleTimeString();

answered Dec 25 '20 at 13:57

FahDev

357
1
7

What when you need to actually add HTML tags? – S. W. G. Apr 15 '22 at 18:02
`innerHTML` will do the job `doc.getElementById("datetime").innerHTML = "
test
"` – FahDev Jun 12 '23 at 16:06

Unsafe assignment to innerHTML

1 Answers1