Sanitize html

Add-ons Development
#1

Got this warning from AMO:

This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means.

Will something like this (https://stackoverflow.com/a/10772475/6113286) work:

String.prototype.sanitizeHTML=function (white,black) {
   if (!white) white="b|i|p|br";//allowed tags
   if (!black) black="script|object|embed";//complete remove tags
   var e=new RegExp("(<("+black+")[^>]*>.*</\\2>|(?!<[/]?("+white+")(\\s[^<]*>|[/]>|>))<[^<>]*>|(?!<[^<>\\s]+)\\s[^</>]+(?=[/>]))", "gi");
   return this.replace(e,"");

}

#2

Now using document.createElement('div'); to generate the DOM, I guess this approach is ok?

#3

document.createElement('div') is defensively fine (unless, of course you set the innerHTML of the new div).

If you do want to use a sanatization function, please don’t just grab a poorly documented function somewhere from the internet. It’s a bit hard to tell because not eve the arguments are documented, but I don’t think the function above works as intended.