Merge pull request #3 from mozfreddyb/allow-binary-expressions

try allowing binary expressions (being careful about recent changes to upstream eslint)
2015-09-08 12:26:51 +02:00 · 2015-09-08 12:26:51 +02:00 · 2e3c48638a
--- a/lib/rules/no-unsafe-innerhtml.js
+++ b/lib/rules/no-unsafe-innerhtml.js
@ -56,6 +56,9 @@ module.exports = function (context) {
          if (VALID_UNWRAPPERS.indexOf(funcName) !== -1) {
            allowed = true;
          }
+        } else if (expression.type == "BinaryExpression") {
+          allowed = ((allowedExpression(expression.left, expression))
+                      && (allowedExpression(expression.right, expression)));
        } else {
            // everything that doesn't match is unsafe:
            allowed = false;
--- a/package.json
+++ b/package.json
@ -9,12 +9,10 @@
        "url": "https://github.com/mozfreddyb/eslint-plugin-no-unsafe-innerhtml/issues"
    },
    "devDependencies": {
-        "eslint": ">=0.24.0",
-        "eslint-tester": ">=0.8.2",
        "mocha": "^2.2.4"
    },
    "dependencies": {
-        "eslint": ">=0.24.0"
+        "eslint": "^1.1.0"
    },
    "homepage": "https://github.com/mozfreddyb/eslint-plugin-no-unsafe-innerhtml/",
    "keywords": [
@ -24,7 +22,7 @@
        "lint",
        "security"
    ],
-    "license": "MPLv2",
+    "license": "MPL-2.0",
    "main": "index.js",
    "repository": {
        "type": "git",
--- a/tests/rules/no-unsafe-innerhtml.js
+++ b/tests/rules/no-unsafe-innerhtml.js
@ -9,15 +9,16 @@
 // Requirements
 //------------------------------------------------------------------------------

-var eslint = require("eslint"),
-    ESLintTester = require("eslint-tester");
+var rule = require("../../lib/rules/no-unsafe-innerhtml");
+var RuleTester = require('eslint').RuleTester;

 //------------------------------------------------------------------------------
 // Tests
 //------------------------------------------------------------------------------

-var eslintTester = new ESLintTester(eslint.linter);
-eslintTester.addRuleTest("lib/rules/no-unsafe-innerhtml", {
+var eslintTester = new RuleTester();
+
+eslintTester.run("no-unsafe-innerhtml", rule, {

    // Examples of code that should not trigger the rule
    // XXX this does not find z['innerHTML'] and the like.
@ -93,6 +94,15 @@ eslintTester.addRuleTest("lib/rules/no-unsafe-innerhtml", {
        {
            code: "g.innerHTML = potentiallyUnsafe; // a=legacy, bug 1155131",
            ecmaFeatures: { templateStrings: true }
+        },
+        // (binary) expressions
+        {
+            code: "x.innerHTML = `foo`+`bar`;",
+            ecmaFeatures: { templateStrings: true }
+        },
+        {
+            code: "y.innerHTML = '<span>' + 5 + '</span>';",
+            ecmaFeatures: { templateStrings: true }
        }
    ],

@ -157,6 +167,25 @@ eslintTester.addRuleTest("lib/rules/no-unsafe-innerhtml", {
                    type: "CallExpression"
                }
            ]
+        },
+        // (binary) expressions
+        {
+            code: "node.innerHTML = '<span>'+ htmlInput;",
+            errors: [
+                {
+                    message: "Unsafe assignment to innerHTML",
+                    type: "AssignmentExpression"
+                }
+            ]
+        },
+        {
+            code: "node.innerHTML = '<span>'+ htmlInput + '</span>';",
+            errors: [
+                {
+                    message: "Unsafe assignment to innerHTML",
+                    type: "AssignmentExpression"
+                }
+            ]
        }
    ]
 });