Better Way to Sanitize HTML for Insertion

Question

In a recent review by the AMO editors, my Thunderbird addon's version was rejected because it "creates HTML from strings containing unsanitized data" - which "is a major security risk".

I think I understand why. Now, my problem is about how to solve that issue.

This thread gave me some clues, but it's not quite what I need.

My addon needs to paste the contents of the clipboard as a hyperlink, by using the clipboard contents as the link text, and inserting html around it like this: `" + clipboardtext + "".

Now, if I am inserting the clipboard contents as HTML, I need to "sanitize" it first. Here is what I came up with. Now, I haven't written in the regex part yet, because I don't think this is the best way to do this, although I think it will work:

function makeSafeHTML(whathtml){
    var parser = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils);
    var sanitizedHTML = parser.sanitize(whathtml, 01);

    //now remove the extratags added by the sanitization method, perhaps via regex
    //"<html><head></head><body>"
    //"</body></html>"

    return sanitizedHTML;
}

My intent is to do this with the resulting "sanitized" string - this will paste the string as the href value of a hyperlink:

var html_editor = editor.QueryInterface(Components.interfaces.nsIHTMLEditor);
html_editor.insertHTML("<a href='"+whathref+"'>"+whattext+"</a>");

So I am looking for a better way to get sanitized HTML into a simple string variable. Would any of you do it this way?

Answer 1

It seems that you simply want to insert clipboard contents into HTML code as pure text - you don't need any complicated escaping approach then, it's enough to make sure all "dangerous" characters are replaced by HTML entities:

var sanitizedText = text.replace(/&/g, "&amp;").replace(/</g, "&lt;")
                        .replace(/>/g, "&gt;").replace(/"/g, "&quot;");

It's not clear from your question what you do with the generated HTML code. If you add it to a DOM document via something like innerHTML then you can do better - add the HTML code first and manipulate the text in the document then:

document.getElementById("text-container").textContent = text;

Using Node.textContent to set text in a document is always safe, no escaping needs to be performed.