Security Issues

[ferndot]

• Txt content needs to be sanitized for html tags and entities before being wrapped in the <pre> tag. And then you need to convert it /back/ to pure text again - i.e. if you type & it should be saved as exactly that in the txt file. At the moment its saved html-style encoded.
• I can't see why you need the browser permission for just displaying an internal about page - you'd only need it for displaying external content and providing navigation features. An iframe would work as an alternative and you wouldn't need the (potentially dangerous) browser permission.

potential issues:

• I can't see its used, but run_prettify.js isn't going to work - /resources/google-code-prettify/run_prettify.js#L179 - creates inline script tags which are blocked by the CSP.

[logan-r]

Can I work on the first issue?

[HR]

Yes and another thing about issue is all the formatting appears when you paste text. For example paste piece of text that is italic and has font "moz", it will stay the same when you paste it into firetext and this creates an error that prevents the document from being saved (probably because back end is written in HTML like he said above as well).

[ferndot]

@Logi0 please take the first one :)

[logan-r]

For the first issue we could use document.createTextNode().

[ferndot]

Can you fix it then?

[HR]

How long is this going to take?

[ferndot]

Too long 😢

[ferndot]

Yay!