Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike

Перейти к файлу

Frederik Braun c933df13d1 Update release docs (#258 ) * v4.1.2 * update release docs --------- Co-authored-by: Frederik Braun <fbraun+github@mozilla.com>		2024-10-10 10:28:10 +02:00
.github/workflows	Update dependencies and release as 4.1.0 (#247 )	2024-09-02 09:54:15 +02:00
docs/rules	Switch to prettier for formatting; drop obsolete ESLint formatting rules. (#238 )	2024-04-22 11:41:30 +02:00
lib	Upgrade to & supoport ESlint v9 (fixes #234 ) (#239 )	2024-05-14 09:16:28 +02:00
tests	Update dependencies and release as 4.1.0 (#247 )	2024-09-02 09:54:15 +02:00
.babelrc	Switch to prettier for formatting; drop obsolete ESLint formatting rules. (#238 )	2024-04-22 11:41:30 +02:00
.gitignore	Add newline to gitignore	2021-03-24 08:28:44 -07:00
CODE_OF_CONDUCT.md	Switch to prettier for formatting; drop obsolete ESLint formatting rules. (#238 )	2024-04-22 11:41:30 +02:00
CREATING_A_NEW_RELEASE.md	Update release docs (#258 )	2024-10-10 10:28:10 +02:00
LICENSE	Add LICENSE file (MPL-2.0 already in package.json)	2018-11-28 10:53:12 +01:00
README.md	Upgrade to & supoport ESlint v9 (fixes #234 ) (#239 )	2024-05-14 09:16:28 +02:00
SCHEMA.md	Custom rules for configuring rules. Fixes #29 (#51 )	2017-04-21 16:52:12 +02:00
SECURITY.md	Switch to prettier for formatting; drop obsolete ESLint formatting rules. (#238 )	2024-04-22 11:41:30 +02:00
eslint.config.mjs	Upgrade to & supoport ESlint v9 (fixes #234 ) (#239 )	2024-05-14 09:16:28 +02:00
index.js	Read package.json from this node package, not the current directory. Fixes #255 .	2024-09-26 11:09:30 -04:00
package.json	v4.1.2 (#257 )	2024-09-30 15:47:36 +02:00
prettier.config.mjs	Switch to prettier for formatting; drop obsolete ESLint formatting rules. (#238 )	2024-04-22 11:41:30 +02:00
yarn.lock	Update dependencies and release as 4.1.0 (#247 )	2024-09-02 09:54:15 +02:00

README.md

Disallow unsanitized code (no-unsanitized)

These rules disallow unsafe coding practices that may result into security vulnerabilities. We will disallow assignments (e.g., to innerHTML) as well as calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML. The plugin also supports the Sanitizer API and calls to .setHTML() are also allowed by default.

This plugin is built for and used within Mozilla to maintain and improve the security of our products and services.

Rule Details

method

The method rule disallows certain function calls. E.g., document.write() or insertAdjacentHTML(). See docs/rules/method.md for more.

property

The property rule disallows certain assignment expressions, e.g., to innerHTML.

See docs/rules/property.md for more.

Examples

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='" + url + "'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

Install

With yarn or npm:

$ yarn add -D eslint-plugin-no-unsanitized
$ npm install --save-dev eslint-plugin-no-unsanitized

Usage

Flat config

import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [nounsanitized.configs.recommended];

import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [
    {
        files: ["**/*.js"],
        plugins: { nounsanitized },
        rules: {
            "no-unsanitized/method": "error",
            "no-unsanitized/property": "error",
        },
    },
];

eslintrc

In your .eslintrc.json file enable this rule with the following:

{
    "extends": ["plugin:no-unsanitized/recommended-legacy"]
}

Or:

{
    "plugins": ["no-unsanitized"],
    "rules": {
        "no-unsanitized/method": "error",
        "no-unsanitized/property": "error"
    }
}

Documentation

See docs/.