github-hovercard icon indicating copy to clipboard operation
github-hovercard copied to clipboard

Published 20 hours ago verified publisher icon Justineo

Firefox extension missing from addons.mozilla.org

Open shinenelson opened this issue 3 years ago • 9 comments

I am surprised that no one has noticed this yet. The link to the Firefox add-on under Published versions in the readme leads to a 404 page. Searching for the keyword 'github hovercard' does not yield any results either.

Is that supposed to be how it is? Was the add-on intentionally removed from addons.mozilla.org?

shinenelson avatar Apr 10 '21 14:04 shinenelson

It has been taken it down by Mozilla and I was told they think there might be security vulnerabilities due to a core feature relies on directly outputting HTML from GitHub API (GitHub’s Markdown rendering API). Unfortunately I haven’t find time to deal with this yet.

Justineo avatar Apr 11 '21 00:04 Justineo

If you still remember what the problem was, can you please put it up as an issue so that someone can take it up?

From what you have described, I think I know what you are talking about. I might be able to help fix the issue if it is not too grave.

shinenelson avatar Apr 11 '21 02:04 shinenelson

Hello,

Due to issues discovered during the review process, your add-on GitHub Hovercard has been disabled on addons.mozilla.org and no longer appears in the gallery. Users who have previously installed your add-on will be able to continue using it.

Please see the reviewer's comments below for more information.

Details: This version didn't pass review because of the following problems:

  1. This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page . Here are some examples that were discovered:

hovercard.js - line 2067

Please fix them and submit again.

Justineo avatar Apr 11 '21 06:04 Justineo

@Justineo Has it been removed from the Chrome Web Store for the same reason or have you taken it down? :o

levifig avatar Apr 24 '21 01:04 levifig

Google sent me a taken down notification yesterday claiming that I didn’t respond to their “previous” violation notification email which I didn’t receive. I contacted Google after that but haven’t received any response yet.

Justineo avatar Apr 24 '21 04:04 Justineo

Update: The Chrome extension is back online. Reviewers for Firefox Add-on haven't replied my inquiry yet.

Justineo avatar May 13 '21 07:05 Justineo

Any updates regarding the firefox extension? I just got a new PC and realized I've been taking this extension for far too granted!

Pk13055 avatar Jun 02 '21 22:06 Pk13055

Still not available in FF store

MaxymVlasov avatar Oct 29 '21 15:10 MaxymVlasov

Still unavailable from the addons site. Can it be installed manually?

lonix1 avatar Sep 01 '22 10:09 lonix1