StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Your code will bitterly fail e.g. when <code>response.text</code> includes a double quote. Then your code would be (assume it is <code><a href="hello">world</a></code>):</p> <pre><code>document.body.innerHTML = "<h1><a href="hello">world</a></h1>"; </code></pre> <p>This is obviously invalid code.</p> <p>Your code basically constructs a dynamic script from unsanitized data, which is a bad idea because (other than the escaping problem above)</p> <ol> <li>you'll be running an unsanitized content script if that code is even valid and</li> <li>if that would succeed, the page might run unsanitized code as well.</li> </ol> <p>This is the web equivalent to SQL injection attacks....</p> <p>First, lets tackle 1.) with <a href="https://addons.mozilla.org/en-US/developers/docs/sdk/latest/modules/sdk/content/worker.html#Worker" rel="nofollow">messaging</a> (<a href="https://addons.mozilla.org/en-US/developers/docs/sdk/latest/dev-guide/guides/content-scripts/index.html" rel="nofollow">more</a>):</p> <pre><code>var worker = tabs.activeTab.attach({ contentScript: 'self.port.on("setdom", function(data) { ' + + 'document.body.innerHTML = data; /* still a security issue! */' + '});' }); worker.port.emit("setdom", response.text); </code></pre> <p>This guarantees that the content script will be valid (can even run) and does not run arbitrary code.</p> <p>However 2.) is still a problem. Read <a href="https://developer.mozilla.org/en-US/docs/XUL/School_tutorial/DOM_Building_and_HTML_Insertion" rel="nofollow">DOM Building and HTML insertion</a>.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload