我开发的一个火狐 addon,在上架时总是出现警告,其中不少是与 innerHTML有关:

Unsafe assignment to innerHTML

警告: Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized. This can lead to security issues or fairly serious performance degradation.

意思就是给innerHTML赋值有安全隐患。
于是我重写了相关操作:

// temp 必须有一个根节点
export const domFromTemp = (temp) => {
  const parser = new DOMParser();
  const doc = parser.parseFromString(temp, 'text/html');
  return doc.body.firstElementChild;
};

但提示依然没有消失,一番排查在依赖的 package 中找到痕迹:
lit-html
https://github.com/lit/lit/blob/main/packages/lit-html/src/lit-html.ts#L1080
有对innerHTML的赋值行为。
在考虑要不要 fork 一份自己用了……

posted on 2022-02-19 15:41  死宅程序员  阅读(82)  评论(0编辑  收藏  举报