如何在Firefox扩展中使用parseFragment保留属性 [英] How to keep attributes with parseFragment in Firefox extension

问题描述

在Firefox扩展中，我们使用parseFragment(文档)来解析HTML字符串( (从第3方服务器收到的邮件)放入Mozilla要求的经过清理的DocumentFragment中.唯一的问题是，解析器会删除我们需要的所有属性，例如class属性.

In Firefox extension we use parseFragment (documentation) to parse a string of HTML (received from 3rd party server) into a sanitized DocumentFragment as it required by Mozilla. The only problem, the parser removes all attributes we need, for example, class attribute.

在使用parseFragment解析HTML时是否可以保留class属性?

Is it possible somehow to keep class attributes while parsing HTML with parseFragment?

P.S.我知道在Gecko 14.0中，它们已替换，此函数与另一个支持清理参数的函数一起使用.但是与Gecko的关系如何? 14.0?

P.S. I know that in Gecko 14.0 they replaced this function with another which supports sanitizing parameters. But what to do with Gecko < 14.0?

推荐答案

否，白名单是 DOMParser Firefox 12中的文档).

No, the whitelist is hardcoded and cannot be adjusted. However, the class attribute is in the whitelist and should be kept, you probably meant the style attribute? If you need a customized behavior you will have to use a different solution (like DOMParser which can parse HTML documents in Firefox 12).

对于较旧的Firefox版本，您可以在其中使用DOMParser解析XHTML数据.如果您确实有HTML，那么我仅知道一种无需立即将其插入文档中即可解析的方法(这可能会导致各种安全问题):

As to older Firefox versions, you can parse XHTML data with DOMParser there. If you really have HTML then I am only aware of one way to parse it without immediately inserting it into a document (which might cause various security issues): range.createContextualFragment(). You need an HTML document for that, if you don't have one - a hidden <iframe> loading about:blank will do as well. Here is how it works:

// Get the HTML document
var doc = document.getElementById("dummyFrame").contentDocument;

// Parse data
var fragment = doc.createRange().createContextualFragment(htmlData);

// Sanitize it
sanitizeData(fragment);

在此清理数据是您自己的责任.您可能希望根据我上面链接的Mozilla的白名单进行清理-删除不在该列表中的所有标签和属性，还请确保检查链接. style属性是一种特殊情况:以前是不安全的，但是不再提供IMHO，因为网络不再支持-moz-binding.

Here sanitizing the data is your own responsibility. You probably want to base your sanitization on Mozilla's whitelist that I linked to above - remove all tags and attributes that are not on that list, also make sure to check the links. The style attribute is a special case: it used to be insecure but IMHO no longer is given than -moz-binding isn't supported on the web any more.

这篇关于如何在Firefox扩展中使用parseFragment保留属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！