StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to use nsIParserUtils inside firefox addon sdk 1.10 main.js?
text
Body
copied!<p>My recent submission for Firefox add-on site (based on Firefox Add-on SDK 1.10) was rejected because I have not sanitized the input I use and was suggested to <a href="https://developer.mozilla.org/en-US/docs/XUL_School/DOM_Building_and_HTML_Insertion#Safely_Using_Remote_HTML" rel="nofollow">use <code>nsIParserUtils</code></a>.</p> <p>I found the function <code>parseHTML(doc, html, allowStyle, baseURI, isXML)</code> in that page. I changed it to:</p> <pre class="lang-js prettyprint-override"><code>function parseHTML(doc, html, allowStyle, baseURI, isXML) { var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils); var f = parser.parseFragment(html, allowStyle ? parser.SanitizerAllowStyle : 0, !!isXML, baseURI, doc); return f; } </code></pre> <p>And the first parameter in that is said to be a document element. I have no idea what that is supposed to be? I tried <code>document.createDocumentFragment()</code> but I get "ReferenceError: document is not defined" error. Can some one help me on how to call this function?</p> <p>And the function returns an <code>nsIDOMDocumentFragment</code>. How to convert that back to a string?</p> <hr> <p>UPDATE:</p> <p>As suggested by @zer0 I used:</p> <pre class="lang-js prettyprint-override"><code>var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils); var sanitizedHTML = parser.sanitize(html, flags); </code></pre> <p>But it defeats the purpose of what I wanted to do. For example:</p> <pre class="lang-html prettyprint-override"><code><html><head><BASE href='http://localhost/t/h.html' /> <link rel="stylesheet" type="text/css" href="h.css"> <style type="text/css"> .b{ color:green; } </style> <base href="http://foo.example.com/"> </head><body>Sample Text. No Style <script>Hello malicious code</script> <p class="a">External Style</p> <p class="b">Internal Style</p> <p style="color:blue">Inline Style</p> <a href="sample.html">Link</a><br><br><div style='color: #666666; font-size: 12px'>Clipped on 6-October-2012, 07:37:39 PM from <a href='http://localhost/t/h.html'>http://localhost/t/h.html</a> </div></body></html> </code></pre> <p>Is converted to:</p> <pre class="lang-html prettyprint-override"><code><html><head> <style type="text/css"> .b{ color:green; } </style> </head><body>Sample Text. No Style <p class="a">External Style</p> <p class="b">Internal Style</p> <p style="color:blue">Inline Style</p> <a>Link</a><br><br><div style="color: #666666; font-size: 12px">Clipped on 6-October-2012, 07:37:39 PM from <a href="http://localhost/t/h.html">http://localhost/t/h.html</a> </div></body></html> </code></pre> <p>As this strips the external hyperlinks and CSS, it defeats the purpose of the add-on itself. What I want is for just the scripts to be removed:</p> <pre class="lang-html prettyprint-override"><code><html><head><BASE href='http://localhost/t/h.html' /> <BASE href='http://localhost/t/h.html' /> <link rel="stylesheet" type="text/css" href="h.css"> <style type="text/css"> .b{ color:green; } </style> <base href="http://foo.example.com/"> </head><body>Sample Text. No Style <p class="a">External Style</p> <p class="b">Internal Style</p> <p style="color:blue">Inline Style</p> <a href="sample.html">Link</a><br><br><div style='color: #666666; font-size: 12px'>Clipped on 6-October-2012, 07:37:39 PM from <a href='http://localhost/t/h.html'>http://localhost/t/h.html</a> </div></body></html> </code></pre> <p>Can someone shed some light on this?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload