Validator ineffective in some cases (shows nothing)
Closed this issue · 4 comments
There are developers who copy/paste GreaseMoneky scripts into an addon.
It seems validator (as well as the Olympia for displaying the review) miss most issues in such cases.
It might be due to wild-card usages in GM include/exclude.
Example - validator shows nothing while there are eval(), createElement('script'), innerHTML etc
https://addons.mozilla.org/en-US/developers/addon/enhanced-rt/file/488096/validation
Review: (Syntax Highlight also has issues)
https://addons.mozilla.org/en-US/firefox/files/browse/488096/file/Enhanced%20RT.user.js#top
Another example .. this time a different case (not a GM script)
Validator shows no warning and misses the JQuery completely (no mention)
https://addons.mozilla.org/en-US/editors/review/pnkj-test
This is how Enhanced RT now get's linted in validator:
Validation Summary:
errors 0
notices 0
warnings 23
WARNINGS:
Code Message Description File Line Column
Unsafe assignment to outerHTML Unsafe assignment to outerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 298 2
sanitized. This can lead to security issues or fairly serious performance degradation.
Unsafe assignment to innerHTML Unsafe assignment to innerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 320 2
sanitized. This can lead to security issues or fairly serious performance degradation.
eval can be harmful. eval can be harmful. Enhanced RT.user.js 329 12
eval can be harmful. eval can be harmful. Enhanced RT.user.js 332 10
eval can be harmful. eval can be harmful. Enhanced RT.user.js 333 31
eval can be harmful. eval can be harmful. Enhanced RT.user.js 333 70
eval can be harmful. eval can be harmful. Enhanced RT.user.js 338 10
eval can be harmful. eval can be harmful. Enhanced RT.user.js 339 31
eval can be harmful. eval can be harmful. Enhanced RT.user.js 339 70
Unsafe assignment to outerHTML Unsafe assignment to outerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 433 2
sanitized. This can lead to security issues or fairly serious performance degradation.
eval can be harmful. eval can be harmful. Enhanced RT.user.js 438 12
eval can be harmful. eval can be harmful. Enhanced RT.user.js 440 10
eval can be harmful. eval can be harmful. Enhanced RT.user.js 441 31
eval can be harmful. eval can be harmful. Enhanced RT.user.js 441 70
eval can be harmful. eval can be harmful. Enhanced RT.user.js 445 10
eval can be harmful. eval can be harmful. Enhanced RT.user.js 446 31
eval can be harmful. eval can be harmful. Enhanced RT.user.js 446 70
Unsafe assignment to outerHTML Unsafe assignment to outerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 611 9
sanitized. This can lead to security issues or fairly serious performance degradation.
Unsafe assignment to outerHTML Unsafe assignment to outerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 617 9
sanitized. This can lead to security issues or fairly serious performance degradation.
Unsafe assignment to innerHTML Unsafe assignment to innerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 622 10
sanitized. This can lead to security issues or fairly serious performance degradation.
Unsafe assignment to outerHTML Unsafe assignment to outerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 626 10
sanitized. This can lead to security issues or fairly serious performance degradation.
Unsafe assignment to outerHTML Unsafe assignment to outerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 647 12
sanitized. This can lead to security issues or fairly serious performance degradation.
Unsafe assignment to innerHTML Unsafe assignment to innerHTML Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately Enhanced RT.user.js 742 6
sanitized. This can lead to security issues or fairly serious performance degradation.
which looks fairly good to me now. There is a few more things but these aren't related to that add-on and are separately filed against mozilla/addons#282.
I'm closing this but please feel free to re-open at any time or create a new issue in case something is missing.
@EnTeQuAk maybe there is a bug in addons-server which causes those warnings to not show up in the file-viewer? Remember that reviewers usually don't interact with the validator directly, they only see what the file-viewer shows.
good point, I'll verify this a bit later.