Generating script fragments such as content scripts from sanitized string data

prashant_raykor · July 29, 2015, 11:22am

Generating script fragments such as content scripts from unsanitized string data is error prone and poses a major risk of security vulnerabilities. For more information, please see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion#listeners

Will you please let me know how i can generate script fragments such as content scripts from sanitized string data.

leo · July 29, 2015, 11:23am

Moved from Uncategorized to appropriate category.

TheOne · July 31, 2015, 11:58am

The linked page explains how you sanitize remote strings.

prashant_raykor · October 15, 2015, 9:08am

There are lots of things present in the link.
Is possible to refer/add some code snippets.

Thanks in Advance…
Prashant.

TheOne · October 15, 2015, 10:55am

That depends on your exact code. Different use cases have different solution approaches.

prashant_raykor · October 16, 2015, 5:16am

How to generate the dynamic script element and inject that to source page?
I want inject some variables into source page?

jorgev · October 20, 2015, 8:15pm

You’ll need to provide more details. What code does this script contain? Is it local, or remote? Where do you inject it?

prashant_raykor · October 21, 2015, 6:11am

It is remote…
I want to inject this into the currently open page/active tab.

Particle · October 25, 2015, 12:16pm

I’ve had my add-on updates rejected because of this problem, trying to process unsanitized remote data.

Eventually I have been able to avoid that, but that was only possible because all of the remote data I use is pure text, not code, so I changed the source code to fetch the remote text and add it JUST as text nodes and text attributes (no onClick attributes) into the DOM after processing local static markup.

So far I don’t think that there will be any oher way of using any remote data in add-ons other than text alone, especially executable remote data:

Remote script injection.

Action: Reject

Add-ons can use data-only APIs, but should never download and execute
remote code, not even in the scope of a webpage. Any use of the <script> tag (like createElement(“script”)) needs to be carefully analyzed. Using remote PAC files is not allowed.

And

Remote code download or execution, custom update code.

Action: Reject

As explained in the validation section, no remote code execution is allowed.

https://wiki.mozilla.org/AMO/Reviewers/Guide/Reviewing

So unless your add-on is another Greasemonkey add-on, you will very likely never get it approved in its current state.

prashant_raykor · October 27, 2015, 11:16am

Is it possible to share some sample code of injecting remote scripts into source page?
Please help me I am already running out of date…

Thanks
Prashant.

Particle · October 30, 2015, 12:22am

AMO does not accept add-ons that do this, unless it is another Greasemonkey add-on.

You will have to find a different way, either include the remote scripts inside your add-on or don’t use them at all.