On Jun 7, 4:47 pm, Nils Maier <[EMAIL PROTECTED]> wrote: > * a lot of reinvent the wheel code is in there, like getHostFromURL > (instead of using nsIURI/nsIURL/nsIEffectiveTLDService). > > * A regex-based homebrown html parser. I wonder how good it is, how good > it will get... Bad people are known th be quiet creative when it comes > to finding ways to obscure injections...
Thank you for your interest and scrutiny here, Nils. As I mentioned in my reply to Gerv, the add-on is only a proof-of-concept hack and differs greatly from the approach Mozilla would likely take in a permanent implementation. A regex-based HTML and script parser was a quick and dirty way to get the job done. We have thousands of developer hours already invested in our HTML and XML parsers. I would not want to reimplement any of that code when it's already been so rigorously tested. > * clean = this.data.replace(/google/ig,'yahoo'); Huh? Prototyping, eh? ;) > > * this.status = "On" | "Off"... What happened to booleans? Yep, thanks for pointing these out. Both have been fixed and the add- on package updated. > Maybe you should get in touch with Giorgio of noscript fame. He is very > knowledgable in this area and furthermore I think it might be > interesting to implement this in noscript as well to some extent. I am sure that Giorgio will be involved in the design/implementation. He has already provided some useful comments on a few of the discussions I have seen. Thanks, Brandon _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security