microsoft
/
tslint-microsoft-contrib
зеркало из https://github.com/microsoft/tslint-microsoft-contrib.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Move Wiki pages to docs foldes (fixes #808) (#818) 

* Replace Release Notes with info about CHANGELOG.md and Releases

* Replace Release Notes with links to CHANGELOG.md and Releases

* Updated Releases (markdown)

* Revert "Updated Releases (markdown)"

This reverts commit b9214fd89cc3cd2238a4f43c3c4bf7ac3c2cc7e9.

* Add instruction to replace @next placeholder

* Move Wiki files to docs folder (fixes #808)

* Apply Prettier formatter to docs

* Update link to Releases doc

* Replace Markdown table format with HTML table

* Add links from removed Releases page to README.md
This commit is contained in:
Andrii Dieiev 2019-02-17 22:04:13 +02:00 коммит произвёл Josh Goldberg
Родитель f70d669310
Коммит 66b9c68a98
17 изменённых файлов: 257 добавлений и 431 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
CONTRIBUTING.md
Просмотреть файл

@ -69,4 +69,4 @@ You can use `npm start` watcher that will rebuild TS files from `src` before lau
## Creating a new Release
Refer to the [Releases Wiki Page](https://github.com/Microsoft/tslint-microsoft-contrib/wiki/Releases).
Refer to the [Releases doc](./docs/Releases.md).

1
Home.md
Просмотреть файл

@ -1 +0,0 @@
Welcome to the tslint-microsoft-contrib wiki!

4
README.md
Просмотреть файл

@ -1250,3 +1250,7 @@ We recommend you specify exact versions of lint libraries, including `tslint-mic
## Development
See [CONTRIBUTING.md](./CONTRIBUTING.md).
## Release notes
Check GitHub [Releases](https://github.com/Microsoft/tslint-microsoft-contrib/releases) for individual release notes or [CHANGELOG.md](./CHANGELOG.md) for full project changelog.

268
Release-Notes.md
Просмотреть файл

@ -1,268 +0,0 @@
## 6.0.0
The major version 6 comes with all the greatness of the 6.0.0-beta milestone along with:
New rules:
* [#147](https://github.com/Microsoft/tslint-microsoft-contrib/issues/147) New rule: `use-simple-attributes`
## 6.0.0-beta
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A6.0.0-beta0)
This was a _huge_ one.
Thanks so much to our many contributors, both during #hacktoberfest and in the surrounding weeks!
⚠️ Breaking changes:
* [#632](https://github.com/Microsoft/tslint-microsoft-contrib/issues/632) Update `export-name`: fixed overly permissive validator
* [#624](https://github.com/Microsoft/tslint-microsoft-contrib/issues/624) Update `no-relative-imports`: disallow `.` and `..` path components
* [#594](https://github.com/Microsoft/tslint-microsoft-contrib/issues/594) Update `import-name`: fixed for long `../..` paths and similar
* [#527](https://github.com/Microsoft/tslint-microsoft-contrib/issues/527) Allow `.jsx` files to be considered as TSX
New rules:
* [#457](https://github.com/Microsoft/tslint-microsoft-contrib/issues/457) New rule: `informative docs`
* [#280](https://github.com/Microsoft/tslint-microsoft-contrib/issues/280) New rule: `react-a11y-required`
* [#278](https://github.com/Microsoft/tslint-microsoft-contrib/issues/278) New rule: `react-a11y-no-onchange`
* [#275](https://github.com/Microsoft/tslint-microsoft-contrib/issues/275) New rule: `react-a11y-input-elements`
* [#253](https://github.com/Microsoft/tslint-microsoft-contrib/issues/253) New rule: `non-literal-fs-path`
✅ General changes:
* [#634](https://github.com/Microsoft/tslint-microsoft-contrib/issues/634) Remove absolute paths from error messages
* [#588](https://github.com/Microsoft/tslint-microsoft-contrib/issues/588) Update `import-name`: better documentation on complex packages
* [#571](https://github.com/Microsoft/tslint-microsoft-contrib/issues/571) Update `react-anchor-blank-noopener`: option to avoid redundant rel values
* [#545](https://github.com/Microsoft/tslint-microsoft-contrib/issues/545) Update `mocha-no-side-effect-code`: ignore `.forEach` setups
* [#541](https://github.com/Microsoft/tslint-microsoft-contrib/issues/541) Update `import-name`: option for ignoring node_modules
* [#537](https://github.com/Microsoft/tslint-microsoft-contrib/issues/537) Update `react-no-dangerous-html`: suppressions no longer require absolute paths
* [#535](https://github.com/Microsoft/tslint-microsoft-contrib/issues/535) Update `react-this-binding-issue`: performance boost from internal `Set`s
* [#531](https://github.com/Microsoft/tslint-microsoft-contrib/issues/531) Update `export-name`: case-insensitive by default
* [#525](https://github.com/Microsoft/tslint-microsoft-contrib/issues/525) Don't consider `.tsx.ts` files as TSX
* [#518](https://github.com/Microsoft/tslint-microsoft-contrib/issues/518) Update `no-function-expression`: exclude generics in `.tsx` files
* [#498](https://github.com/Microsoft/tslint-microsoft-contrib/issues/498) Update `function-name`: add options for overlapping private and/or static method types
* [#493](https://github.com/Microsoft/tslint-microsoft-contrib/issues/493) Update `no-relative-import`: allow same folder imports
* [#486](https://github.com/Microsoft/tslint-microsoft-contrib/issues/486) Remove `newline-before-return` from recommended preset
* [#459](https://github.com/Microsoft/tslint-microsoft-contrib/issues/459) Update `function-name`: support symbol properties as names
* [#451](https://github.com/Microsoft/tslint-microsoft-contrib/issues/451) Update `import-name`: allow more forms of specifies with hyphens
* [#440](https://github.com/Microsoft/tslint-microsoft-contrib/issues/440) Update `no-suspicious-comment`: allow links to issues
* [#437](https://github.com/Microsoft/tslint-microsoft-contrib/issues/437) Update `react-a11y-image-button-has-alt`: no longer throw on input elements
* [#434](https://github.com/Microsoft/tslint-microsoft-contrib/issues/434) Update `react-a11y-anchors`: warn when there is no `'href'` attribute
* [#433](https://github.com/Microsoft/tslint-microsoft-contrib/issues/433) Update `react-a11y-anchors`: allow children and hidden content
* [#430](https://github.com/Microsoft/tslint-microsoft-contrib/issues/430) Update `export-name`: add `ignore-case` option
* [#429](https://github.com/Microsoft/tslint-microsoft-contrib/issues/429) Update `import-name`: clear documentation examples
* [#424](https://github.com/Microsoft/tslint-microsoft-contrib/issues/424) Update `import-name`: allow snake_case file names
* [#394](https://github.com/Microsoft/tslint-microsoft-contrib/issues/394) Update `react-a11y-anchors`: add `ignore-case` and `ignore-whitespace` options
* [#393](https://github.com/Microsoft/tslint-microsoft-contrib/issues/393) Update `max-func-body-length`: allow `default` classes
* [#392](https://github.com/Microsoft/tslint-microsoft-contrib/issues/392) Update `react-this-binding`: add detection for `@bind` decorators
* [#378](https://github.com/Microsoft/tslint-microsoft-contrib/issues/378) Update `import-name`: ignore modules with dotted paths
* [#362](https://github.com/Microsoft/tslint-microsoft-contrib/issues/362) Update `no-increment-decrement`: add an `allow-for-loop` option
* [#353](https://github.com/Microsoft/tslint-microsoft-contrib/issues/353) Update `react-tsx-curly-spacing`: empty `{}` node when it only contains comments
* [#317](https://github.com/Microsoft/tslint-microsoft-contrib/issues/317) Update `react-a11y-img-has-alt`: alt-text cannot be an image file name
* [#276](https://github.com/Microsoft/tslint-microsoft-contrib/issues/276) Update `img-alt-ignored-image-support`: add check for title attribute for images
☑️ Internal source code improvements:
* [#622](https://github.com/Microsoft/tslint-microsoft-contrib/issues/622) Added Node versions 10 and 11 on Travis
* [#616](https://github.com/Microsoft/tslint-microsoft-contrib/pulls/616) Add watcher that will run tests and lint
* [#610](https://github.com/Microsoft/tslint-microsoft-contrib/issues/610) Simplified release process to remove `npm-*` and `releases` branches
* [#602](https://github.com/Microsoft/tslint-microsoft-contrib/issues/602) Enabled `prefer-readonly` in source code
* [#587](https://github.com/Microsoft/tslint-microsoft-contrib/issues/587) Added Windows builds to Travis configuration
* [#568](https://github.com/Microsoft/tslint-microsoft-contrib/issues/568) Completely removed `ErrorTolerantWalker`
* [#566](https://github.com/Microsoft/tslint-microsoft-contrib/issues/566) Enabled `no-any` in source code
* [#558](https://github.com/Microsoft/tslint-microsoft-contrib/issues/558) Added Prettier
* [#556](https://github.com/Microsoft/tslint-microsoft-contrib/issues/556) Mark `ErrorTolerantWalker` as deprecated
* [#528](https://github.com/Microsoft/tslint-microsoft-contrib/issues/528) Added `launch.json` for VS Code
* [#512](https://github.com/Microsoft/tslint-microsoft-contrib/issues/512) Bumped Node versions on Travis to 6 and 8
* [#490](https://github.com/Microsoft/tslint-microsoft-contrib/issues/490) Stopped using `null` unnecessarily in source code
* [#484](https://github.com/Microsoft/tslint-microsoft-contrib/issues/484) Replaced Grunt dependency with npm scripts
* [#461](https://github.com/Microsoft/tslint-microsoft-contrib/issues/461) Used TypeScript's `--strict` mode in source code
## 5.2.1
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.2.1)
* [#479](https://github.com/Microsoft/tslint-microsoft-contrib/issues/479) Source control improvement: repository forces `\n` endline style on Windows
* [#485](https://github.com/Microsoft/tslint-microsoft-contrib/issues/485) Adjusted `tsutils` peer dependency to not allow versions that break either TypeScript 2.X or 3.X
## 5.2.0
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.2.0)
* [#207](https://github.com/Microsoft/tslint-microsoft-contrib/issues/207) Checked second expect() messages in chai-vague-errors
* [#454](https://github.com/Microsoft/tslint-microsoft-contrib/issues/454) Disable no-multiline-string in recommended ruleset
* [#465](https://github.com/Microsoft/tslint-microsoft-contrib/issues/465) Avoided matching describe() calls in max-func-body-length
* [#468](https://github.com/Microsoft/tslint-microsoft-contrib/issues/468) Fixed max-func-body-length off-by-one counts
* [#475](https://github.com/Microsoft/tslint-microsoft-contrib/issues/475) Added TypeScript@3 as allowed peer dependency
* [#476](https://github.com/Microsoft/tslint-microsoft-contrib/issues/476) Fixed react-a11y-image-button-has-alt crashes on expression types
## 5.1.0
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.1.0)
* [#115](https://github.com/Microsoft/tslint-microsoft-contrib/issues/115) Single line block comments allowed to be nested inside code or JSX
* [#291](https://github.com/Microsoft/tslint-microsoft-contrib/issues/291) Excluded generators in no-function-expression
* [#381](https://github.com/Microsoft/tslint-microsoft-contrib/issues/381) Fixed no-unnecessary-local-variable false positive
* [#389](https://github.com/Microsoft/tslint-microsoft-contrib/issues/389) Ignored test inclusions/exclusions for mocha-no-side-effect-code
* [#412](https://github.com/Microsoft/tslint-microsoft-contrib/pull/412) Fixed several no-octal-literal edge cases
* [#413](https://github.com/Microsoft/tslint-microsoft-contrib/issues/413) Fixed backslashes in no-octal-literal
* [#417](https://github.com/Microsoft/tslint-microsoft-contrib/pull/417) Type-checking for noStringBased rules
* [#423](https://github.com/Microsoft/tslint-microsoft-contrib/pull/423) Allowed `http://localhost` for recommended no-http-string setting
* [#425](https://github.com/Microsoft/tslint-microsoft-contrib/issues/425) Added config setting for `no-inner-html` for which expressions to flag
* [#427](https://github.com/Microsoft/tslint-microsoft-contrib/pull/427) Added console.error to recommended ruleset for `no-console`
* [#444](https://github.com/Microsoft/tslint-microsoft-contrib/issues/444) Started flagging `export { ... }` declarations in export-name
* [#446](https://github.com/Microsoft/tslint-microsoft-contrib/issues/446) Allowed this.timeout in mocha-no-side-effect-code
* [#447](https://github.com/Microsoft/tslint-microsoft-contrib/pull/447) Update broken accessibility link in README.md
* [#449](https://github.com/Microsoft/tslint-microsoft-contrib/pull/449) Removed invalid examples.com domain from recommended ruleset
## 5.0.3
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.0.3)
* [#390](https://github.com/Microsoft/tslint-microsoft-contrib/issues/390) react-a11y-image-button-has-alt toLowerCase error throws
* [#414](https://github.com/Microsoft/tslint-microsoft-contrib/issues/414) Remove TypeError in reactA11yImgHasAltRule.ts for undefined role attribute
* [#411](https://github.com/Microsoft/tslint-microsoft-contrib/issues/411) Removed default configuration of deprecated rules.
* [#405](https://github.com/Microsoft/tslint-microsoft-contrib/issues/405) Deprecated several rules that are now duplicates
* [#410](https://github.com/Microsoft/tslint-microsoft-contrib/issues/410) Removed default configuration of deprecated rules.
## 5.0.2
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.0.2)
* [#402](https://github.com/Microsoft/tslint-microsoft-contrib/issues/402) fix false positive for no-string-based-set-timeout
* [#406](https://github.com/Microsoft/tslint-microsoft-contrib/issues/406) deprecate no-stateless-class rule in favor of no-unnecessary-class
* [#382](https://github.com/Microsoft/tslint-microsoft-contrib/issues/382) Deprecate the `no-var-self` rule and replace with no-this-assignment
* [#401](https://github.com/Microsoft/tslint-microsoft-contrib/issues/401) add grunt rule to generate rule-metadata.json which contains all rule…
* [#400](https://github.com/Microsoft/tslint-microsoft-contrib/issues/400) Audit rules that have already been added in TSLint
* [#399](https://github.com/Microsoft/tslint-microsoft-contrib/issues/399) Use ReadonlyArray for node arrays
* [#391](https://github.com/Microsoft/tslint-microsoft-contrib/issues/391) Upgrade grunt and other library versions in build
* [#386](https://github.com/Microsoft/tslint-microsoft-contrib/issues/386) Add 'typescript' to peer dependencies
* [#379](https://github.com/Microsoft/tslint-microsoft-contrib/issues/379) The use-isnan rule is fully removed
## 5.0.1
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.0.1)
* [#373](https://github.com/Microsoft/tslint-microsoft-contrib/issues/373) Fix tsutils peer dependency issue with tslint-microsoft-contrib@5.0.0
* [#371](https://github.com/Microsoft/tslint-microsoft-contrib/issues/371) relax tsutils peer dependency
* [#375](https://github.com/Microsoft/tslint-microsoft-contrib/issues/375) Fix mocha-avoid-only. Only return expression length to stop annoying whole block underlining
* [#372](https://github.com/Microsoft/tslint-microsoft-contrib/issues/372) Remove the use-isnan rule
* [#370](https://github.com/Microsoft/tslint-microsoft-contrib/issues/370) Fix no-http-string. Do not ignore template strings
## 5.0.0
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A5.0.0)
* [#359](https://github.com/Microsoft/tslint-microsoft-contrib/issues/359) Update TSLint to v5
* [#354](https://github.com/Microsoft/tslint-microsoft-contrib/issues/354) tslint 5.0.0 contains custom rule breaking changes
* [#367](https://github.com/Microsoft/tslint-microsoft-contrib/issues/367) Add support for tslint version to 5.1.0
* [#369](https://github.com/Microsoft/tslint-microsoft-contrib/issues/369) Support typescript 2.3
* [#349](https://github.com/Microsoft/tslint-microsoft-contrib/issues/349) New rule: no-useless-files
* [#368](https://github.com/Microsoft/tslint-microsoft-contrib/issues/368) Remove deprecated rule 'no-unused-imports'
* [#364](https://github.com/Microsoft/tslint-microsoft-contrib/issues/364) remove no-sparse-arrays rule
* [#361](https://github.com/Microsoft/tslint-microsoft-contrib/issues/361) Use TypeScript config files for compilation
* [#360](https://github.com/Microsoft/tslint-microsoft-contrib/issues/360) gruntfile and tsconfig are inconsistent
* [#350](https://github.com/Microsoft/tslint-microsoft-contrib/issues/350) Add AppVeyor configuration
* [#348](https://github.com/Microsoft/tslint-microsoft-contrib/issues/348) Fix the new rule snippet to not create an immediately broken file
## 4.0.1
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A4.0.1)
* [#345](https://github.com/Microsoft/tslint-microsoft-contrib/issues/345) Remove no-unused-variable to suppress tslint warning
* [#344](https://github.com/Microsoft/tslint-microsoft-contrib/issues/344) typedef rule - Change recommended parameters so to something meaningful bug
* [#343](https://github.com/Microsoft/tslint-microsoft-contrib/issues/343) object-literal-key-quotes false positive when linting empty string
* [#341](https://github.com/Microsoft/tslint-microsoft-contrib/issues/341) Recommended value for member-ordering rule is pointless enhancement
* [#338](https://github.com/Microsoft/tslint-microsoft-contrib/issues/338) no-http-string rule - false positive when http:// occurs in the middle of a string
* [#337](https://github.com/Microsoft/tslint-microsoft-contrib/issues/337) Performance - no-http-string should replace regex with indexOf
* [#336](https://github.com/Microsoft/tslint-microsoft-contrib/issues/336) no-http-string rule should support very large source files and string input
* [#333](https://github.com/Microsoft/tslint-microsoft-contrib/issues/333) remove "prefer-const" rule - tslint has same rule with same name so our's is unusable
* [#332](https://github.com/Microsoft/tslint-microsoft-contrib/issues/332) Performance - no-http-string should use visitStringLiteral not visitNode
* [#331](https://github.com/Microsoft/tslint-microsoft-contrib/issues/331) no-http-string's NoHttpStringWalker should use visitStringLiteral
* [#328](https://github.com/Microsoft/tslint-microsoft-contrib/issues/328) Deprecate no-empty-interfaces - rule is now in TSLint bug
* [#327](https://github.com/Microsoft/tslint-microsoft-contrib/issues/327) Improve import-name failure message when import filenames contain a dot enhancement
* [#326](https://github.com/Microsoft/tslint-microsoft-contrib/issues/326) update recommended ruleset with new tslint 4.0 rules
## 4.0.0
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A3.0.0)
* [#313](https://github.com/Microsoft/tslint-microsoft-contrib/issues/313) Enhancement - tslint 4.0 support
* [#319](https://github.com/Microsoft/tslint-microsoft-contrib/issues/319) Enhancement - react-a11y-anchors-rule now includes innerimage alt text as its text content
* [#318](https://github.com/Microsoft/tslint-microsoft-contrib/issues/318) Enhancement - Fix line endings errors in IDE by providing an .editorconfig file
* [#320](https://github.com/Microsoft/tslint-microsoft-contrib/issues/320) Bug - react-a11y-img-has-alt not working when passing options
## 2.0.14
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=milestone%3A2.0.14)
* [#302](https://github.com/Microsoft/tslint-microsoft-contrib/issues/302) New Rule - react-tsx-curly-spacing - Port TSX curly spacing rule.
* [#255](https://github.com/Microsoft/tslint-microsoft-contrib/issues/255) New Rule - new security rule: detect-non-literal-require
* [#311](https://github.com/Microsoft/tslint-microsoft-contrib/issues/311) Enhancement - Configurable Props and State interface names
* [#310](https://github.com/Microsoft/tslint-microsoft-contrib/issues/310) Enhancement - Rule no-stateless-class does not account for constructors using parameter properties bug
* [#308](https://github.com/Microsoft/tslint-microsoft-contrib/issues/308) Enhancement - function-name rule - add support for linting protected methods
* [#303](https://github.com/Microsoft/tslint-microsoft-contrib/issues/303) Enhancement - mocha-no-side-effect: Add support for "BeforeAll()" and "afterAll()" methods (Jasmine)
* [#301](https://github.com/Microsoft/tslint-microsoft-contrib/issues/301) Enhancement - Declare TypeScript SDK path in VSCode settings.
* [#292](https://github.com/Microsoft/tslint-microsoft-contrib/issues/292) Enhancement - support checkLoops for noConstantConditionRule
* [#240](https://github.com/Microsoft/tslint-microsoft-contrib/issues/240) Enhancement - mocha rules: support context and specify feature-request
* [#317](https://github.com/Microsoft/tslint-microsoft-contrib/issues/317) Documentation - Use inline code in `prefer-type-cast` doc to improve readability
* [#312](https://github.com/Microsoft/tslint-microsoft-contrib/issues/312) Bug Fix - Support for Typescript 2.1
* [#307](https://github.com/Microsoft/tslint-microsoft-contrib/issues/307) Bug Fix - False positive for no-unnecessary-semicolons on empty loops bug
* [#306](https://github.com/Microsoft/tslint-microsoft-contrib/issues/306) Bug Fix - false positive in string timeout methods: Function is treated as string
* [#305](https://github.com/Microsoft/tslint-microsoft-contrib/issues/305) Bug Fix - fix anchors rule not correctly apply 4 chars rule
* [#304](https://github.com/Microsoft/tslint-microsoft-contrib/issues/304) Bug Fix - Remove deprecated no-duplicate-key rule
* [#298](https://github.com/Microsoft/tslint-microsoft-contrib/issues/298) Bug Fix - update rule: react-a11y-img-has-alt - should allow role='presentation' with non-empty alt text.
* [#296](https://github.com/Microsoft/tslint-microsoft-contrib/issues/296) Bug Fix - update rule: react-a11y-role-supports-aria-props - Do not check custom element
* [#295](https://github.com/Microsoft/tslint-microsoft-contrib/issues/295) Bug Fix - update rule: react-a11y-anchors - Do not check if role='button'
* [#261](https://github.com/Microsoft/tslint-microsoft-contrib/issues/261) Bug Fix - 'this' banned term conflicts with Typescript's function this-types
## 2.0.13
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20milestone%3A2.0.13)
* [#268](https://github.com/Microsoft/tslint-microsoft-contrib/issues/268) Make extends tslint.json easier by adding "rulesDirectory": "./".
* [#270](https://github.com/Microsoft/tslint-microsoft-contrib/issues/270) TestHelper fail in version 2.0.12
* [#289](https://github.com/Microsoft/tslint-microsoft-contrib/issues/289) react-a11y-anchors false positive when anchor href is undefined bug
* [#288](https://github.com/Microsoft/tslint-microsoft-contrib/issues/288) react-a11y-proptypes: fix rule to scan boolean types when analyzing tokens bug
* [#287](https://github.com/Microsoft/tslint-microsoft-contrib/issues/287) aria-role-supports-props: false positive when role is defined by an expression bug
* [#269](https://github.com/Microsoft/tslint-microsoft-contrib/issues/269) react-a11y-anchors fails on links that contact exactly 4 characters of text bug
## 2.0.11/2.0.12
A big release and a big thank you to all the contributors:
From the Suzhou SOX Publishing team
* Liubin Guo (huge thanks!), Liaoliang Ye, and Evgeniia Firsova
From the Microsoft Social Engagement team
* MogensFogh, Daniel Manesku - @danielmanesku, Cosmin Cojocar - @cosmincojocar, and @loicraux
From the world outside Microsoft!
* Matteo Ferrando - @chamini2, Gaurav Ramanan - @gaurav21r, Przemysław Duszyński - @Przemek-at-Ais, @studds, and Saurabh Sharma
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20milestone%3A2.0.11)
* [#267](https://github.com/Microsoft/tslint-microsoft-contrib/issues/267) remove underscore dependency in 2.0.11
* [#256](https://github.com/Microsoft/tslint-microsoft-contrib/issues/256) new security rule: detect-possible-timing-attacks
* [#210](https://github.com/Microsoft/tslint-microsoft-contrib/issues/210) new security rule: react-anchor-blank-noopener
* [#187](https://github.com/Microsoft/tslint-microsoft-contrib/issues/187) new security rule: insecure random (CWE-330)
* [#186](https://github.com/Microsoft/tslint-microsoft-contrib/issues/186) new security rule: suspicious comment (CWE 546)
* [#257](https://github.com/Microsoft/tslint-microsoft-contrib/issues/257) new rule: react-a11y-event-has-role
* [#247](https://github.com/Microsoft/tslint-microsoft-contrib/issues/247) new rule: react-a11y-aria-unsupported-elements
* [#246](https://github.com/Microsoft/tslint-microsoft-contrib/issues/246) new rule: react-a11y-image-button-has-alt rule
* [#245](https://github.com/Microsoft/tslint-microsoft-contrib/issues/245) new rule: react-a11y-proptypes
* [#216](https://github.com/Microsoft/tslint-microsoft-contrib/issues/216) new rule: react-a11y-role-supports-aria-props - Enforce that elements with explicit or implicit roles defined contain only aria-* properties supported by that role
* [#215](https://github.com/Microsoft/tslint-microsoft-contrib/issues/215) new rule: react-a11y-role - Elements with aria roles must use a **valid**, **non-abstract** aria role
* [#214](https://github.com/Microsoft/tslint-microsoft-contrib/issues/214) new rule: react-a11y-role-has-required-aria-props - Elements with aria roles must have all required attributes according to the role
* [#213](https://github.com/Microsoft/tslint-microsoft-contrib/issues/213) new rule: react-a11y-props - Enforce all aria-* props are valid.
* [#212](https://github.com/Microsoft/tslint-microsoft-contrib/issues/212) new rule: react-a11y-img-has-alt - <img> elements must have an alt-text defined
* [#211](https://github.com/Microsoft/tslint-microsoft-contrib/issues/211) new rule: react-a11y-tabindex-no-positive - Enforce tabIndex value is not greater than zero.
* [#199](https://github.com/Microsoft/tslint-microsoft-contrib/issues/199) new rule: react-a11y-anchors
* [#197](https://github.com/Microsoft/tslint-microsoft-contrib/issues/197) new rule: react-a11y-titles
* [#194](https://github.com/Microsoft/tslint-microsoft-contrib/issues/194) new rule: react-a11y-lang
* [#239](https://github.com/Microsoft/tslint-microsoft-contrib/issues/239) Support for context.only in Mocha related rules
* [#265](https://github.com/Microsoft/tslint-microsoft-contrib/issues/265) allow other projects to use extends for our tslint.json
* [#234](https://github.com/Microsoft/tslint-microsoft-contrib/issues/234) react-aria rules: update implicit roles, aria schema, and role schema to support ARIA 1.1
* [#218](https://github.com/Microsoft/tslint-microsoft-contrib/issues/218) Update react-a11y-img-has-alt - If an image has an alt or title attribute, it should not have a presentation role
## 2.0.10
[All Issues](https://github.com/Microsoft/tslint-microsoft-contrib/issues?utf8=%E2%9C%93&q=is%3Aissue%20milestone%3A2.0.10)
* [#189](https://github.com/Microsoft/tslint-microsoft-contrib/issues/189) new security rule: iframe has invalid or missing sandbox attribute
* [#73](https://github.com/Microsoft/tslint-microsoft-contrib/issues/73) new rule: unused react interface property
* [#180](https://github.com/Microsoft/tslint-microsoft-contrib/issues/180) new rule: chai - indexOf can be .contains call
* [#179](https://github.com/Microsoft/tslint-microsoft-contrib/issues/179) new rule: unneeded mocha done
* [#171](https://github.com/Microsoft/tslint-microsoft-contrib/issues/171) new rule: no-unsupported-browser-code
* [#115](https://github.com/Microsoft/tslint-microsoft-contrib/issues/115) new rule: no single line block comment
* [#85](https://github.com/Microsoft/tslint-microsoft-contrib/issues/85) new rule: mocha-no-side-effect-code
* [#44](https://github.com/Microsoft/tslint-microsoft-contrib/issues/44) new rule: enforce one of the two Underscore function call forms
* [#190](https://github.com/Microsoft/tslint-microsoft-contrib/issues/190) Add tslint.json to npm release
* [#184](https://github.com/Microsoft/tslint-microsoft-contrib/issues/184) Export TestHelper in npm package
* [#183](https://github.com/Microsoft/tslint-microsoft-contrib/issues/183) add Common Weakness Enumeration info to all rules and generate spreadsheet
* [#173](https://github.com/Microsoft/tslint-microsoft-contrib/issues/173) rewrite formatters adding extra white space
* [#172](https://github.com/Microsoft/tslint-microsoft-contrib/issues/172) `import-name` needs to be configurable for kebab-cased imports
* [#110](https://github.com/Microsoft/tslint-microsoft-contrib/issues/110) prefer-array-literal: Error when using Array in a type annotation
* [#83](https://github.com/Microsoft/tslint-microsoft-contrib/issues/83) enhance chai-vague-error rule
* [#64](https://github.com/Microsoft/tslint-microsoft-contrib/issues/64) Update development section of the doc

59
Releases.md
Просмотреть файл

@ -1,59 +0,0 @@
# Overview
* The npm package is published by the [Microsoft account](https://www.npmjs.com/~microsoft)
* [Directions for publishing](https://opensourcehub.microsoft.com/articles/how-to-publish-npm-package) with the Microsoft Account are available with CORPNET access
* Releases are made from the "master" branch and tagged with the format "[version]"
## Prepare the tslint-microsoft-contrib master branch
* Make sure there are 0 closed issues without a milestone. Assign milestone as needed using [this query](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=no%3Amilestone%20is%3Aclosed%20)
* Close the milestone
* Open the next milestone
* Update the [Release Notes](https://github.com/Microsoft/tslint-microsoft-contrib/wiki/Release-Notes
)
* Make sure `package.json` and `package-lock.json` contain the version you wish to publish
* Update `README.md` to have the correct version numbers and links
* Pull any recent git changes and rebuild:
```shell
git pull
npm run test
```
* Tag the master branch with the format [version]
```shell
git tag 0.0.1
git push --tags
```
* Increase the version number in package.json and README.md to the next minor version and push
## Prepare the tslint-microsoft-contrib releases branch
* Clone the repo again to a new folder:
```shell
git clone https://github.com/Microsoft/tslint-microsoft-contrib tslint-microsoft-contrib-releases
```
* Checkout branch `releases`
```shell
git checkout releases
```
* Replace all files with the contents of `/dist/build` directory created from `master`
* Commit and push to remote
* tag the releases branch with the format `npm-[version]`
```shell
git tag npm-2.0.10
git push --tags
```
## Publish the Package with the Microsoft npmjs Account
* Follow the steps at https://docs.opensource.microsoft.com/releasing/build-your-project.html#npm
* Basically just send the email they want and wait a little while
* Include the npmjs.org user ids of all contributors: brndkfr, hamletdrc, dmanesku, joshuakgoldberg

52
TSLint-and-the-Microsoft-Security-Development-Lifecycle.md
Просмотреть файл

@ -1,52 +0,0 @@
The [Security Development Lifecycle (SDL)](https://www.microsoft.com/en-us/sdl/) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost.
Together TypeScript, TSLint, and tslint-microsoft-contrib have automated most of the rules and recommendations made by the MS SDL.
Enable these rules in order to be compliant with the SDL:
Rule Name | From | Description
:--------------------- | :------------ | -------------
`no-eval` | tslint | Do not use the 'eval' function or its functional equivalents.
`use-strict` | tslint | Always enable strict mode when possible.
`no-octal-literal` | tslint-microsoft-contrib | Do not use octal literals or escaped octal sequences in  strict-mode compatible code.
`no-duplicate-parameter-names` | tslint-microsoft-contrib | Do not duplicate parameter names.
`no-delete-expression` | tslint-microsoft-contrib | Do not delete expressions.
`no-disable-auto-sanitization` | tslint-microsoft-contrib | Do not disable auto-sanitization in frameworks or application helper code.
`no-exec-script` | tslint-microsoft-contrib | Banned term - execScript.
`no-string-based-set-timeout` | tslint-microsoft-contrib | Do not use the version of setTimeout that accepts code as a string argument. However, it is acceptable to use the version of setTimeout where a direct reference to a function is provided as the callback argument.
`no-string-based-set-interval` | tslint-microsoft-contrib | Do not use the version of setInterval that accepts code as a string argument. However, it is acceptable to use the version of setInterval where a direct reference to a function is provided as the callback argument.
`no-string-based-set-immediate` | tslint-microsoft-contrib | Do not use the version of setImmediate that accepts code as a string argument. However, it is acceptable to use the version of setImmediate where a direct reference to a function is provided as the callback argument.
`no-function-constructor-with-string-args` | tslint-microsoft-contrib | Do not use the version of the Function constructor that accepts a string argument to define the body of the function.
`no-banned-terms` | tslint-microsoft-contrib | Do not access terms or variables that create ambiguity or are banned in strict mode.
`no-reserved-keywords` | tslint-microsoft-contrib | Do not use reserved and future reserved keywords as identifiers.
`no-document-domain` | tslint-microsoft-contrib | Do not write to document.domain. Scripts setting document.domain to any value should be validated to ensure that the value is on a list of allowed sites.
You will want your tslint ruleset defined similarly to this if you'd like to enable all of these rules:
{
"rules": {
"no-banned-terms": true,
"no-delete-expression": true,
"no-document-domain": true,
"no-disable-auto-sanitization": true,
"no-duplicate-parameter-names": true,
"no-exec-script": true,
"no-function-constructor-with-string-args": true,
"no-octal-literal": true,
"no-reserved-keywords": true,
"no-string-based-set-immediate": true,
"no-string-based-set-interval": true,
"no-string-based-set-timeout": true,
"no-eval": true
}
}
There are also some other security related rules that are not specifically part of the SDL. We recommend that you also use these rules:
* no-document-write - Do not use document.write (because it accepts unsanitized input)
* no-http-string – It can cause an http connection without TLS thus allowing a cookie stealing attack
* no-inner-html Do not write values to innerHTML, outerHTML, or set HTML using the JQuery html() function
* react-no-dangerous-html - Do not use React's dangerouslySetInnerHTML API (because it accepts unsanitized input)
Additionally, some [tsc compiler options](https://www.typescriptlang.org/docs/handbook/compiler-options.html) should be enabled:
* --alwaysStrict - Parse in strict mode and emit "use strict" for each source file
*

16
docs/README.md Normal file
Просмотреть файл

@ -0,0 +1,16 @@
# Welcome to the `tslint-microsoft-contrib` docs!
## General info
- [TSLint and the Microsoft Security Development Lifecycle](./TSLint-and-the-Microsoft-Security-Development-Lifecycle.md)
- [Releases](./Releases.md)
## Detailed info for rules
- [react-a11y-img-has-alt](./react-a11y-img-has-alt-Rule.md)
- [react-a11y-props](./react-a11y-props-Rule.md)
- [react-a11y-role-has-required-props](./react-a11y-role-has-required-props-Rule.md)
- [react-a11y-role-supports-aria-props](./react-a11y-role-supports-aria-props-Rule.md)
- [react-a11y-tabindex-no-positive](./react-a11y-tabindex-no-positive-Rule.md)
- [react-ally-role](./react-ally-role-Rule.md)
- [react-no-dangerous-html](./react-no-dangerous-html-Rule.md)

59
docs/Releases.md Normal file
Просмотреть файл

@ -0,0 +1,59 @@
# Overview
- The npm package is published by the [Microsoft account](https://www.npmjs.com/~microsoft)
- [Directions for publishing](https://opensourcehub.microsoft.com/articles/how-to-publish-npm-package) with the Microsoft Account are available with CORPNET access
- Releases are made from the "master" branch and tagged with the format "[version]"
## Prepare the tslint-microsoft-contrib master branch
- Make sure there are 0 closed issues without a milestone. Assign milestone as needed using [this query](https://github.com/Microsoft/tslint-microsoft-contrib/issues?q=no%3Amilestone%20is%3Aclosed%20)
- Close the milestone
- Open the next milestone
- Update `CHANGELOG.md`. Stable releases should contain list of new changes as well as full list of changes since previous stable release.
- Make sure `package.json` and `package-lock.json` contain the version you wish to publish
- Update `README.md` to have the correct links and version numbers for new rules (replace `@next` placeholder with next version)
- Pull any recent git changes and rebuild:
```shell
git pull
npm run test
```
- Tag the master branch with the format [version]
```shell
git tag 0.0.1
git push --tags
```
- Create [release](https://github.com/Microsoft/tslint-microsoft-contrib/releases) for newly pushed tag
- Increase the version number in package.json and README.md to the next minor version and push
## Prepare the tslint-microsoft-contrib releases branch
- Clone the repo again to a new folder:
```shell
git clone https://github.com/Microsoft/tslint-microsoft-contrib tslint-microsoft-contrib-releases
```
- Checkout branch `releases`
```shell
git checkout releases
```
- Replace all files with the contents of `/dist/build` directory created from `master`
- Commit and push to remote
- tag the releases branch with the format `npm-[version]`
```shell
git tag npm-2.0.10
git push --tags
```
## Publish the Package with the Microsoft npmjs Account
- Follow the steps at https://docs.opensource.microsoft.com/releasing/build-your-project.html#npm
- Basically just send the email they want and wait a little while
- Include the npmjs.org user ids of all contributors: brndkfr, hamletdrc, dmanesku, joshuakgoldberg

120
docs/TSLint-and-the-Microsoft-Security-Development-Lifecycle.md Normal file
Просмотреть файл

@ -0,0 +1,120 @@
The [Security Development Lifecycle (SDL)](https://www.microsoft.com/en-us/sdl/) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost.
Together TypeScript, TSLint, and tslint-microsoft-contrib have automated most of the rules and recommendations made by the MS SDL.
Enable these rules in order to be compliant with the SDL:
<table>
<thead>
<tr>
<th>Rule Name</th>
<th>From</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>no-eval</code></td>
<td>tslint</td>
<td>Do not use the `eval` function or its functional equivalents.</td>
</tr>
<tr>
<td><code>use-strict</code></td>
<td>tslint</td>
<td>Always enable strict mode when possible.</td>
</tr>
<tr>
<td><code>no-octal-literal</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not use octal literals or escaped octal sequences in strict-mode compatible code.</td>
</tr>
<tr>
<td><code>no-duplicate-parameter-names</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not duplicate parameter names.</td>
</tr>
<tr>
<td><code>no-delete-expression</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not delete expressions.</td>
</tr>
<tr>
<td><code>no-disable-auto-sanitization</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not disable auto-sanitization in frameworks or application helper code.</td>
</tr>
<tr>
<td><code>no-exec-script</code></td>
<td>tslint-microsoft-contrib</td>
<td>Banned term - `execScript`.</td>
</tr>
<tr>
<td><code>no-string-based-set-timeout</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not use the version of `setTimeout` that accepts code as a string argument. However, it is acceptable to use the version of `setTimeout` where a direct reference to a function is provided as the callback argument.</td>
</tr>
<tr>
<td><code>no-string-based-set-interval</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not use the version of `setInterval` that accepts code as a string argument. However, it is acceptable to use the version of `setInterval` where a direct reference to a function is provided as the callback argument.</td>
</tr>
<tr>
<td><code>no-string-based-set-immediate</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not use the version of `setImmediate` that accepts code as a string argument. However, it is acceptable to use the version of ``setImmediate` where a direct reference to a function is provided as the callback argument.</td>
</tr>
<tr>
<td><code>no-function-constructor-with-string-args</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not use the version of the Function constructor that accepts a string argument to define the body of the function.</td>
</tr>
<tr>
<td><code>no-banned-terms</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not access terms or variables that create ambiguity or are banned in strict mode.</td>
</tr>
<tr>
<td><code>no-reserved-keywords</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not use reserved and future reserved keywords as identifiers.</td>
</tr>
<tr>
<td><code>no-document-domain</code></td>
<td>tslint-microsoft-contrib</td>
<td>Do not write to `document.domain`. Scripts setting `document.domain` to any value should be validated to ensure that the value is on a list of allowed sites.</td>
</tr>
</tbody>
</table>
You will want your tslint ruleset defined similarly to this if you'd like to enable all of these rules:
```json
{
"rules": {
"no-banned-terms": true,
"no-delete-expression": true,
"no-document-domain": true,
"no-disable-auto-sanitization": true,
"no-duplicate-parameter-names": true,
"no-exec-script": true,
"no-function-constructor-with-string-args": true,
"no-octal-literal": true,
"no-reserved-keywords": true,
"no-string-based-set-immediate": true,
"no-string-based-set-interval": true,
"no-string-based-set-timeout": true,
"no-eval": true
}
}
```
There are also some other security related rules that are not specifically part of the SDL. We recommend that you also use these rules:
- `no-document-write` - Do not use `document.write` (because it accepts unsanitized input)
- `no-http-string` – It can cause an http connection without TLS thus allowing a cookie stealing attack
- `no-inner-html` - Do not write values to `innerHTML`, `outerHTML`, or set HTML using the JQuery `html()` function
- `react-no-dangerous-html` - Do not use React's `dangerouslySetInnerHTML` API (because it accepts unsanitized input)
Additionally, some [tsc compiler options](https://www.typescriptlang.org/docs/handbook/compiler-options.html) should be enabled:
- `--alwaysStrict` - Parse in strict mode and emit `"use strict"` for each source file

11
react-a11y-img-has-alt-Rule.md → docs/react-a11y-img-has-alt-Rule.md
Просмотреть файл

@ -1,11 +1,11 @@
# react-a11y-img-has-alt
Enforce that an `img` element contains the `alt` attribute. For decorative images, using empty alt attribute and role="presentation". All images must have `alt` text to convey their purpose and meaning to **screen reader users**.
Enforce that an `img` element contains the `alt` attribute. For decorative images, using empty `alt` attribute and `role="presentation"`. All images must have `alt` text to convey their purpose and meaning to **screen reader users**.
Besides, the `alt` attribute specifies an alternate text for an image, if the image cannot be displayed.
## References
- [presentation (role)](https://www.w3.org/TR/wai-aria-1.1/#presentation)
- [presentation (role)](https://www.w3.org/TR/wai-aria-1.1/#presentation)
## Rule options
@ -32,13 +32,14 @@ public render(): JSX.Element {
}
```
To make this plugin check your `Image` element, specify the following configuration in your `tslint.json` file:
```json
{
"rules": {
"a11y-img-has-alt": [true, ["Image"]]
}
"rules": {
"a11y-img-has-alt": [true, ["Image"]]
}
}
```

0
react-a11y-props-Rule.md → docs/react-a11y-props-Rule.md
Просмотреть файл

12
react-a11y-role-has-required-props-Rule.md → docs/react-a11y-role-has-required-props-Rule.md
Просмотреть файл

@ -4,8 +4,8 @@ Elements with aria roles must have all required attributes according to the role
## References
- [WAI-ARIA roles](https://www.w3.org/TR/wai-aria-1.1/#role_definitions)
- [AX_ARIA_03](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_aria_03)
- [WAI-ARIA roles](https://www.w3.org/TR/wai-aria-1.1/#role_definitions)
- [AX_ARIA_03](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_aria_03)
## Rule options
@ -17,14 +17,14 @@ This rule takes no arguments.
```tsx
// The <div> element has no required attribute aria-checked for checkbox role.
<div role='checkbox' />
<div role="checkbox" />
```
### Good
```tsx
// The <div> element has required attribute aria-checked for checkbox role.
<div role='checkbox' aria-checked='false' />
<div role="checkbox" aria-checked="false" />
```
## Note
@ -36,12 +36,12 @@ For example:
```tsx
// <input> element explicit role is checkbox, it requires aria-checked attribute.
<input role='checkbox' type='button' />
<input role="checkbox" type="button" />
```
### Good
```tsx
// <input> element implicit role is checkbox, it has required aria-checked attribute.
<input role='checkbox' aria-checked='true' />
<input role="checkbox" aria-checked="true" />
```

9
react-a11y-role-supports-aria-props-Rule.md → docs/react-a11y-role-supports-aria-props-Rule.md
Просмотреть файл

@ -5,8 +5,8 @@ Many aria attributes (states and properties) can only be used on elements with p
## References
- [AX_ARIA_10](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_aria_10)
- [Supported States & Properties](https://www.w3.org/TR/wai-aria-1.1/#states_and_properties)
- [AX_ARIA_10](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_aria_10)
- [Supported States & Properties](https://www.w3.org/TR/wai-aria-1.1/#states_and_properties)
## Rule options
@ -25,6 +25,7 @@ This rule takes no arguments.
```
### Good
```tsx
// The explicit checkbox role does support the aria-checked attribute.
<div role='checkbox' aria-checked='true' />
@ -42,12 +43,12 @@ For example:
```tsx
// The <input> element explicit role is button, it does not support aria-checked attribute.
<input role='button' type='checkbox' aria-checked='true' />
<input role="button" type="checkbox" aria-checked="true" />
```
### Good
```tsx
// The <input> element explicit role is checkbox, it supports aria-checked attribute.
<input role='checkbox' type='button' aria-checked='true' />
<input role="checkbox" type="button" aria-checked="true" />
```

2
react-a11y-tabindex-no-positive-Rule.md → docs/react-a11y-tabindex-no-positive-Rule.md
Просмотреть файл

@ -5,7 +5,7 @@ Avoid positive tabindex attribute values to synchronize the flow of the page wit
## References
- [AX_FOCUS_03](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_focus_03)
- [AX_FOCUS_03](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_focus_03)
## Rule options

4
react-ally-role-Rule.md → docs/react-ally-role-Rule.md
Просмотреть файл

@ -5,8 +5,8 @@ A reference to role defintions can be found at [WAI-ARIA roles](https://www.w3.o
## References
- [AX_ARIA_01](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_aria_01)
- [DPUB-ARIA roles](https://www.w3.org/TR/dpub-aria-1.0/)
- [AX_ARIA_01](https://github.com/GoogleChrome/accessibility-developer-tools/wiki/Audit-Rules#ax_aria_01)
- [DPUB-ARIA roles](https://www.w3.org/TR/dpub-aria-1.0/)
## Rule options

37
docs/react-no-dangerous-html-Rule.md Normal file
Просмотреть файл

@ -0,0 +1,37 @@
# react-no-dangerous-html Rule
This rule finds usages of React's [dangerouslySetInnerHTML](https://facebook.github.io/react/tips/dangerously-set-inner-html.html). One should not use this API because it possible opens your system up to an XSS attack.
## Suppressions
Suppressions can be specified in your `tslint.json` configuration file like this:
```json
"react-no-dangerous-html": [true,
{
"file": "local/path/to/MyFile.ts",
"method": "render",
"comment": "Usage has been approved by our Security Group on 2015-03-12"
}
]
```
Or as a better alternative you can just extract all our suppressions into a separate file:
```js
"react-no-dangerous-html": [true].concat(
grunt.file.readJSON('../xss_exceptions.json')
)
```
## Audit Trail
This rule is designed to provide you with an audit trail of all `dangerouslySetInnerHTML` usages so that they can be reviewed by a security team before a release is made. We suggest you do the following (which is what our team does):
- Enable this rule
- Audit each usage of `dangerouslySetInnerHTML` to make sure they are safe
- Extract all your suppressions into a separate file (`xss_exceptions.json`)
- Add the `xss_exceptions.json` to version control
- Review the file before each release to make sure it only contains approved usages.
Of course, you're free to automate this even more if you'd like! This works for us though.

32
react-no-dangerous-html-Rule.md
Просмотреть файл

@ -1,32 +0,0 @@
# react-no-dangerous-html Rule
This rule finds usages of React's [dangerouslySetInnerHTML](https://facebook.github.io/react/tips/dangerously-set-inner-html.html). One should not use this API because it possible opens your system up to an XSS attack.
## Suppressions
Suppressions can be specified in your tslint.json configuration file like this:
```json
"react-no-dangerous-html": [true,
{
"file": "local/path/to/MyFile.ts",
"method": "render",
"comment": "Usage has been approved by our Security Group on 2015-03-12"
}
]
```
Or as a better alternative you can just extract all our suppressions into a separate file:
"react-no-dangerous-html": [true].concat(
grunt.file.readJSON('../xss_exceptions.json')
)
## Audit Trail
This rule is designed to provide you with an audit trail of all dangerouslySetInnerHTML usages so that they can be reviewed by a security team before a release is made. We suggest you do the following (which is what our team does):
* Enable this rule
* Audit each usage of dangerouslySetInnerHTML to make sure they are safe
* Extract all your suppressions into a separate file (xss_exceptions.json)
* Add the xss_exceptions.json to version control
* Review the file before each release to make sure it only contains approved usages.
Of course, you're free to automate this even more if you'd like! This works for us though.