So this is the cause:
1. Your add-on creates DOM nodes from HTML strings containing
potentially unsanitized data, by assigning to innerHTML, jQuery.html, or
through similar means. Aside from being inefficient, this is a major
security risk. For more information, see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion .
Please fix them and submit again. Thank you.
The function causing this should be this one:
http://jsfiddle.net/8or0az7s/1/
It’s slightly modified but it uses innerHTML in the same way of the one I’ve submitted.
I’m calling the function as an example of how it works, the words or regular expressions are given by the user then i look for the text nodes and replace the matches with my code, as far as i know this is not a security risk, and the function is quite efficient.
Using:
function escapeHTML(str) str.replace(/[&"<>]/g, function (m) ({ "&": "&", '"': """, "<": "<", ">": ">" })[m]);
as suggested here: https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion
will make hard to highlight terms like " > < &
Right now it works as expected all the characters mentioned above can be highlighted and are not causing any issues.
So what can i do to resolve this without losing functionality and speed?
Thanks.
P.S. Rest of the code can be found here:
It’s done using jpm so just use jpm run and it should work.