Description
Below is the output from Mozilla's Extension Tests. Would be useful to fix as well. Some of these may be just par the course for the type of plugin that vimperator is. Others should be fixed ASAP. And some are just being silly like the "potentially unsafe template escape sequence" ones complain about the usage of {{{ as the fold indicator for vim.
Access to the Function global
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.
Alternatives are available for most use cases. See https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/Appendix_C:_Avoid_using_eval_in_Add-ons for more information.
common/content/base.js
91 string: String,
92 function: Function,
93 number: Number
Access to the eval global
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.
Alternatives are available for most use cases. See https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/Appendix_C:_Avoid_using_eval_in_Add-ons for more information.
common/content/base.js
304 let Constructor = eval(`(function ${(name || superclass.name).replace(/\W/g, '_')}() {
305 let self = {
Access to the eval global
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.
Alternatives are available for most use cases. See https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/Appendix_C:_Avoid_using_eval_in_Add-ons for more information.
common/content/autocommands.js
if (args["-javascript"])
cmd = eval("(function (args) { with(args) {" + cmd + "} })");
autocommands.add(events, regex, cmd);Extensions must not alter user preferences such as the new tab URL without explicit user consent.
Warning: Extensions must not alter user preferences such as the new tab URL without explicit user consent. Such changes must also be reverted when the extension is disabled or uninstalled.
Potentially unsafe preference branch referenced
Warning: Extensions must not alter user preferences such as the current home page, new tab page, or search engine, without explicit user consent, in which a user takes a non-default action. Such changes must also be reverted when the extension is disabled or uninstalled.
In nearly all cases, new values for these preferences should be set in the default preference branch, rather than the user branch.
If you are reading, but not writing, this preference, please consider passing a string literal directly to Preferences.get() or nsIPrefBranch.get*Pref.
content/config.js
if (services.get("vc").compare(VERSION, "41.*") == -1) {
options.setPref("browser.newtab.url", value);
} else {Potentially unsafe preference branch referenced
Warning: Extensions must not alter user preferences such as the current home page, new tab page, or search engine, without explicit user consent, in which a user takes a non-default action. Such changes must also be reverted when the extension is disabled or uninstalled.
In nearly all cases, new values for these preferences should be set in the default preference branch, rather than the user branch.
If you are reading, but not writing, this preference, please consider passing a string literal directly to Preferences.get() or nsIPrefBranch.get*Pref.
content/config.js
if (services.get("vc").compare(VERSION, "41.*") == -1) {
return options.getPref("browser.newtab.url");
} else {Access to the eval global
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.
Alternatives are available for most use cases. See https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/Appendix_C:_Avoid_using_eval_in_Add-ons for more information.
common/content/completion.js
if (typeof v == "string" && /^[.[]/.test(v))
v = eval("(function (i) i" + v + ")");
if (typeof v == "function")Access to the getInstallForFile global
Warning: Add-ons may install other add-ons only by user consent. Any such installations must be carefully reviewed to ensure their safety.
common/content/liberator.js
if (file.exists() && file.isReadable() && file.isFile())
AddonManager.getInstallForFile(file, function (a) a.install());
else {The use of nsIProcess is potentially dangerous and requires careful review by an administrative reviewer.
Warning: Access to the nsIProcess property is deprecated for security or other reasons.
common/content/services.js
this.addClass("find", "@mozilla.org/embedcomp/rangefind;1", Ci.nsIFind);
this.addClass("process", "@mozilla.org/process/util;1", Ci.nsIProcess);
this.addClass("timer", "@mozilla.org/timer;1", Ci.nsITimer);Access to the eval global
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.
Alternatives are available for most use cases. See https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/Appendix_C:_Avoid_using_eval_in_Add-ons for more information.
common/content/javascript.js
let string = this._str.substring(this._get(-1).offset + 1, this._lastIdx);
string = eval(this._last + string + this._last);Access to the eval global
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.
Alternatives are available for most use cases. See https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/Appendix_C:_Avoid_using_eval_in_Add-ons for more information.
common/content/eval.js
try { __liberator_eval_result = eval(__liberator_eval_string);
}setTimeout called in potentially dangerous manner
Warning: In order to prevent vulnerabilities, the setTimeout and setInterval functions should be called only with function expressions as their first argument.
common/content/editor.js
if (colors.length > 0)
setTimeout(arguments.callee, 100);
})();Possible attempt to override new tab page
Warning: The new tab page should be changed only by writing to the appropriate preference in the default preferences branch. Such changes may only be made after an explicit user opt-in, unless the add-on was explicitly and directly installed by the user, and changing the new tab page is its primary purpose.
If this code does not change the behavior of the new tab page, it may be ignored.
common/content/statusline.js
// make it even more Vim-like
if (url == "about:blank") {
if (!buffer.title)JavaScript Compile-Time Error
Warning: A compile-time error in the JavaScript halted validation of that file.
Message: illegal character
common/content/liberator.xul line 9 column null
open called in potentially dangerous manner
Warning: Synchronous HTTP requests can cause serious UI performance problems, especially to users with slow network connections.
common/content/util.js
}
xmlhttp.open("GET", url, !!callback);
xmlhttp.send(null);init should not be called with a null first argument
Warning: Calling nsITransferable.init() with a null first argument has the potential to leak data across private browsing mode sessions. null is appropriate only when reading data or writing data which is not associated with a particular window.
common/content/util.js
if("init" in transferable) {
transferable.init(null);
}Using proto or setPrototypeOf to set a prototype is now deprecated.
Warning: Use of proto or setPrototypeOf to set a prototype causes severe performance degredation, and is deprecated. You should use Object.create instead. See bug https://bugzil.la/948227 for more information.
common/content/base.js
// __iterators__ attached to prototypes.
subclass.prototype.__proto__ = superclass.prototype;Using proto or setPrototypeOf to set a prototype is now deprecated.
Warning: Use of proto or setPrototypeOf to set a prototype causes severe performance degredation, and is deprecated. You should use Object.create instead. See bug https://bugzil.la/948227 for more information.
common/content/base.js
})`);
Constructor.__proto__ = superclass;Mouse events may cause performance issues.
Warning: The use of mousemove, mouseover, and mouseout is discouraged. These events are dispatched with high frequency and can cause severe performance issues.
common/content/buffer.js
elem.dispatchEvent(events.create(doc, "mouseover", { screenX: x, screenY: y }));
}Global variable overwrite
Warning: An attempt was made to overwrite a global variable in some JavaScript code.
common/content/buffer.js
}
window[browserWindow] = this.progressListener;
window.QueryInterface(Ci.nsIInterfaceRequestor)Mouse events may cause performance issues.
Warning: The use of mousemove, mouseover, and mouseout is discouraged. These events are dispatched with high frequency and can cause severe performance issues.
common/content/hints.js
util.makeXPath(["input[not(@type='hidden' or @disabled)]", "a", "area", "iframe", "textarea", "button", "select"])
+ " | //*[@onclick or @onmouseover or @onmousedown or @onmouseup or @oncommand or @role='link'or @role='button' or @role='checkbox' or @role ...
+ (config.name == "Muttator" ?Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/hints.js
*/
_hintMatcher: function (hintString) { //{{{
/**Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/hints.js
*/
function containsMatcher(hintString) { //{{{
let tokens = tokenize(/\s+/, hintString);
Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/hints.js
*/
function wordStartsWithMatcher(hintString, allowWordOverleaping) { //{{{
let hintStrings = tokenize(/\s+/, hintString);Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/modules/template-tag.js
// {{{ escape function
//var obj1 = {};Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/modules/template-tag.js
function templateXML(portion, ...args) // {{{
{Potentially unsafe preference branch referenced
Warning: Extensions should not alter preferences in the browser.preferences.instantApply preference branch
If you are reading, but not writing, this preference, please consider passing a string literal directly to Preferences.get() or nsIPrefBranch.get*Pref.
content/config.js
var features = "chrome,titlebar,toolbar,centerscreen," +
(options.getPref("browser.preferences.instantApply", false) ? "dialog=no" : "modal");
window.toOpenWindowByType("Browser:Preferences", "chrome://browser/content/preferences/preferences.xul", features);Using proto or setPrototypeOf to set a prototype is now deprecated.
Warning: Use of proto or setPrototypeOf to set a prototype causes severe performance degredation, and is deprecated. You should use Object.create instead. See bug https://bugzil.la/948227 for more information.
common/content/io.js
this.__context__ = this;
this.__proto__ = plugins;Using proto or setPrototypeOf to set a prototype is now deprecated.
Warning: Use of proto or setPrototypeOf to set a prototype causes severe performance degredation, and is deprecated. You should use Object.create instead. See bug https://bugzil.la/948227 for more information.
common/content/io.js
let self = XPCNativeWrapper(file);
self.__proto__ = File.prototype;
return self;Mouse events may cause performance issues.
Warning: The use of mousemove, mouseover, and mouseout is discouraged. These events are dispatched with high frequency and can cause severe performance issues.
common/content/events.js
click: "Mouse", mousedown: "Mouse", mouseup: "Mouse",
mouseover: "Mouse", mouseout: "Mouse",
keypress: "Key", keyup: "Key", keydown: "Key"Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/commandline.js
this._messageHistory = { //{{{
_messages: [],
Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/commandline.js
////////////////////// TIMERS //////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////{{{
Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/commandline.js
////////////////////// VARIABLES ///////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////{{{Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/completion.js
////////////////////// COMPLETION TYPES ////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////{{{Banned or deprecated JavaScript Identifier
Warning: Creating threads from JavaScript is a common cause of crashes and is unsupported in recent versions of the platform
common/content/completion.js
this.incomplete = true;
let thread = this.getCache("backgroundThread", liberator.newThread);
liberator.callAsync(thread, this, function () {Global variable overwrite
Warning: An attempt was made to overwrite a global variable in some JavaScript code.
common/content/liberator.js
init: function () {
window.liberator = this;
this.observers = {};Banned or deprecated JavaScript Identifier
Warning: Creating threads from JavaScript is a common cause of crashes and is unsupported in recent versions of the platform
common/content/liberator.js
*/
newThread: function () services.get("threadManager").newThread(0),Banned or deprecated JavaScript Identifier
Warning: Creating threads from JavaScript is a common cause of crashes and is unsupported in recent versions of the platform
common/content/liberator.js
callAsync: function (thread, self, func) {
thread = thread || services.get("threadManager").newThread(0);
thread.dispatch(Runnable(self, func, Array.slice(arguments, 3)), thread.DISPATCH_NORMAL);Banned or deprecated JavaScript Identifier
Warning: Creating threads from JavaScript is a common cause of crashes and is unsupported in recent versions of the platform
common/content/liberator.js
callFunctionInThread: function (thread, func) {
thread = thread || services.get("threadManager").newThread(0);Potentially unsafe preference branch referenced
Warning: Extensions should not alter preferences in the general.useragent. preference branch
If you are reading, but not writing, this preference, please consider passing a string literal directly to Preferences.get() or nsIPrefBranch.get*Pref.
common/content/liberator.js
// Process plugin help entries.
let lang = options.getPref("general.useragent.locale", "en-US");
const ps = new DOMParser;Banned or deprecated JavaScript Identifier
Warning: Spinning the event loop with processNextEvent is a common cause of deadlocks, crashes, and other errors due to unintended reentrancy. Please use asynchronous callbacks instead wherever possible
common/content/liberator.js
while (Date.now() < end)
mainThread.processNextEvent(true);
return true;Banned or deprecated JavaScript Identifier
Warning: Spinning the event loop with processNextEvent is a common cause of deadlocks, crashes, and other errors due to unintended reentrancy. Please use asynchronous callbacks instead wherever possible
common/content/liberator.js
do {
mainThread.processNextEvent(!flush);
if (liberator.interrupted)Global variable overwrite
Warning: An attempt was made to overwrite a global variable in some JavaScript code.
common/content/liberator.js
"boolean", false, {
setter: function (value) window.fullScreen = value,
getter: function () window.fullScreenUsing proto or setPrototypeOf to set a prototype is now deprecated.
Warning: Use of proto or setPrototypeOf to set a prototype causes severe performance degredation, and is deprecated. You should use Object.create instead. See bug https://bugzil.la/948227 for more information.
common/content/sanitizer.js
liberator.loadScript("chrome://browser/content/sanitize.js", Sanitizer);
this.__proto__.__proto__ = new Sanitizer.Sanitizer; // Good enough.
Sanitizer.getClearRange = Sanitizer.Sanitizer.getClearRange; // XXXUsing proto or setPrototypeOf to set a prototype is now deprecated.
Warning: Use of proto or setPrototypeOf to set a prototype causes severe performance degredation, and is deprecated. You should use Object.create instead. See bug https://bugzil.la/948227 for more information.
common/content/sanitizer.js
liberator.loadScript("chrome://browser/content/sanitize.js", Sanitizer);
this.__proto__.__proto__ = new Sanitizer.Sanitizer; // Good enough.
Sanitizer.getClearRange = Sanitizer.Sanitizer.getClearRange; // XXXPotentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/content/options.js
// Properties {{{2Potentially unsafe template escape sequence
Warning: The use of non-HTML-escaping template escape sequences is potentially dangerous and highly discouraged. Non-escaped HTML may only be used when properly sanitized, and in most cases safer escape sequences such as {{ must be used instead.
common/modules/storage.jsm
/***** BEGIN LICENSE BLOCK ***** {{{
Copyright ©2008-2009 by Kris Maglione <maglione.k at Gmail>openDialog called with non-literal parameter.
Warning: Calling openDialog with variable parameters can result in potential security vulnerabilities if the variable contains a remote URI. Consider using window.open with the chrome=no flag.
common/content/liberator.js
if (args.bang)
window.openDialog(extension.options, "_blank", "chrome,toolbar");
else