Firefox extension not happy with static insideHtml

Question

I submitted a Firefox extension that uses innerHtml on content-script.js. The html content is hardcoded, with multiple levels of nested div and span tags, with id class... attributes, none script or a tag. The actual information is filled in in the code behind.

const myHtml = `..........`;
                let elm = document.createElement('div');
                elm.id = 'injectedWrapper';
                elm.innerHTML = myHtml;

However, AMO still complains about insideHtml, even if it comes from const.

Due to both security and performance concerns, this may not be set using dynamic values which have not been adequately sanitized.

I read the guide, but as of now, Firefox support still seems limited. I don't want to add extra js because it's a content script and worst of all it's a lot of createElement but the whole thing makes no sense.

So is there anyway to sanitize the html content to make Firefox happy?

Answer 1

Okay, I finally understand. This is an update for future reference.

The actual verification is done via addons-linter, which doesn't look smart enough to analyze the code.

This will fail:

const myHtml = '<div></div>';
elm.innerHtml = myHtml;

These will all work.

elm.innerHtml = '<div></div>'
elm.innerHtml = '<div>'+'</div>'
elm.innerHtml = `<div>
                 </div>`