Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Inserting un-sanitized remote content is a security problem. For example, JavaScript can be passed as href/src/on** etc.
- Add-on should ensure such strings are not-executable (and not javascript:somefunction).
- In case of href/src, a simple startsWith('http') would be sufficient for this purpose.
- eg:
- js/popup/popupdummy.js#L163
- js/popup/popupdummy.js#L189
- Please fix them and submit again. Thank you.
- Please note that if add-on contains obfuscated, minified, concatenated or otherwise machine-generated code, the code has not been checked yet and their sources will be required in future updates.
- Self-minified: https://developer.mozilla.org/en-US/Add-ons/Source_Code_Submission
- Third Party Library: https://developer.mozilla.org/en-US/Add-ons/Third_Party_Library_Usage
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement