[Q/A] Unsafe assignment to innerHTML

[lohnsonok]

What happened?

I trying to publish my new extension to firefox when i got this security warning during their kick analysis

Version

Latest

What OS are you seeing the problem on?

Linux

What browsers are you seeing the problem on?

Firefox

Relevant log output

Unsafe assignment to innerHTML

Avertissement: Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized. This can lead to security issues or fairly serious performance degradation.
popup.e650704c.js ligne 40 colonne 12949

(OPTIONAL) Contribution

• I would like to fix this BUG via a PR

Code of Conduct

• I agree to follow this project's Code of Conduct
• I checked the current issues for duplicate problems.

[louisgv]

Per their warning - are you eval user's input or putting it inside some dangerously set HTML block? The framework does not add extra stuff in prod build.

[lohnsonok]

No @louisgv please see. The search in my extension code return nothing:

But in the firefox prod :

[Curetix]

Are you using a UI framework like MUI, Chakra, Mantine, etc.? Those do use innerHTML assignments, which would be included in your bundled production build.

[lohnsonok]

Yes, I use mantine. Ok, so how do I fix this warning?
Can I just ignore it?

[lohnsonok]

It's not mantine. I deleted it and rebuilt the package, but the same warning appears:

[lohnsonok]

[Curetix]

In that case it might be React itself or some other module. You can search the node_modules folder for innerHTML and find out. It's probably okay to ignore these warnings if they are caused by your dependencies.