|L10n API: entity attributes are now node attributes, not properties||Zibi Braniecki||6/9/14 5:21 PM|
I just landed bug 994290 which changes the way we treat localization entity attributes.
Before we were taking:
name.attr = Foo
nodes[entity.id][entity.attr] = entity.value
That led to hacks where l10n entities were assigned to CSS styles etc. but could potentially be used by an attacker to modify other JS properties of the node.
We now switched to:
That shouldn't affect the way your write your localizable code, unless you were planning to benefit from the node property setting.
If you were, please, contact my team and we'll find a better solution for you.
One exception we had to leave for now is entity.innerHTML which is used in Gaia to inject whole localized DOMFragments into DOM.
It of course means that the code is still not safe. We're working on a solution in bug 994357.