L10n API: entity attributes are now node attributes, not properties

Showing 1-1 of 1 messages
L10n API: entity attributes are now node attributes, not properties Zibi Braniecki 6/9/14 5:21 PM
Hi guys,

I just landed bug 994290 which changes the way we treat localization entity attributes.

Before we were taking:

name.attr = Foo

and doing:

nodes[entity.id][entity.attr] = entity.value

That led to hacks where l10n entities were assigned to CSS styles etc. but could potentially be used by an attacker to modify other JS properties of the node.

We now switched to:

nodes[entity.id].setAttribute(enttiy.attr, entity.value);

That shouldn't affect the way your write your localizable code, unless you were planning to benefit from the node property setting.

If you were, please, contact my team and we'll find a better solution for you.

Cheers,
zb.

p.s.

One exception we had to leave for now is entity.innerHTML which is used in Gaia to inject whole localized DOMFragments into DOM.

It of course means that the code is still not safe. We're working on a solution in bug 994357.