The Review of my add-on arrived and I got the comment
“the ... line ... seems to create a script from strings with dynamic parameters and it looks like these are coming from a remote file. Given the dynamic parameters are not escaped script injection could occur. Please make sure the values are escaped.“
Can anyone tell me how to escape these parameters in a secure way? Is there a single JS-Function to call?
Here is some comparable code:
var jsCode = "var injectObject = new Object();" +
"injectObject .valueToInject = '" + valueFromRemoteFile + "';";
browser.tabs.executeScript(tabId, {code: jsCode });