Sanitize html string from ajax call in content script

Hi,

I am trying to load Wikipedia page into my extension. My extension was rejected as I am injecting html code from ajax calls without sanitizing. The problem here is the json i get back from wiki looks like below

'{ *: "<div class="mf-section-0" id="mf-section-0"><table style="margin:0 0 1em 1em; float:right; text-align:center; width:20em;" class="toccolours vevent"><tr><td colspan="4" style="padding:0 1em;border-bottom:1px #aaa solid;"><b><span class="summary"><span class="dtstart">2016</span> <a href="/wiki/NASCAR_Sprint_Cup_Series" class="mw-redirect" title="NASCAR Sprint Cup Series">NASCAR Sprint Cup Series</a></span></b></td>
</tr><tr style="vertical-align:top"><td style="text-align:right; width:auto;">Previous:</td>
<td style="text-align:left"><a href="/wiki/2015_NASCAR_Sprint_Cup_Series" title="2015 NASCAR Sprint Cup Series">2015</a></td>
<td style="text-align:right; width:auto;">Next:</td>
<td style="text-align:left"><a href="/wiki/2017_NASCAR_Cup_Series" title="2017 NASCAR Cup Series">2017</a></td>
</tr><tr><td colspan="4" style="font-size:90%;">
<center><a href="/wiki/List_of_NASCAR_Sprint_Cup_Series_champions" title="List of NASCAR Sprint Cup Series champions">Champions</a> | <a href="/wiki"[…] }'

First Option: I can replace most of the problem tags using regex including
script, style, head, body, title, and iframe
here I am formatting the html string and removing all anchor(ie href) tags
str = str.replace(/(\n)|({"*":")|(<a.*?>)|(<[/]a>)|("})|(\)/gmi,’’);

Second option: create a html doc using DOMParser() in memory and remove not required tags(script, style, head, body, title, and iframe) and any attribute that starts with on***() and finally append html to main document

Please suggest an option which will not fail review for not sanitizing, any help in this matter is appreciated.

The problem with any kind of string to DOM conversion is that the DOM is executed.

Even if addon doesn’t insert it in the page, the browser still executes it so if there are scripts they will be executed.

You can check my answer here:
https://discourse.mozilla-community.org/t/download-a-json-from-personnal-website/12158/2

You can load a page, as it is, in a panel (eg with iframe) and manipulate the result.
loading a JSON response has risks since it is unknown.

erosman,

Appreciate your response, can you please explain in detail or provide some examples when you say “You can load a page, as it is, in a panel (eg with iframe) and manipulate the result.” Are you talking about iframe sandboxing

on another thought can i use this api
Caja -->https://developers.google.com/caja/
do you know if anybody is using it ?

Appreciate your help

AFA panel… look at the examples on panel

I dont know about Caja.
Adding another library means more complex review process (which takes longer).
The claims of “safe” could be safe for a web-page but not for an addon.