зеркало из
1
0
Форкнуть 0

Allow expressions within template strings, as long as they are allowed on their own (literals, etc.). Adding bailout in allowedExpression when used improperly. This has bitten mee way too often

This commit is contained in:
Frederik Braun 2015-11-05 11:39:45 +01:00
Родитель 215ba0ad3b
Коммит 349053c19c
2 изменённых файлов: 48 добавлений и 10 удалений

Просмотреть файл

@ -20,6 +20,9 @@ module.exports = function (context) {
var VALID_UNWRAPPERS = ["Sanitizer.unwrapSafeHTML", "unwrapSafeHTML"];
function allowedExpression(expression, parent) {
if (typeof parent === "undefined") {
throw new Error("allowedExpressions() expects two parameters. Only one given.");
}
/*
expression = { right-hand side of innerHTML or 2nd param to insertAdjacentHTML
parent is the parent node of the call or assignment. used to look into comments.
@ -39,12 +42,15 @@ module.exports = function (context) {
// we just assign a literal (e.g. a string, a number, a bool)
allowed = true;
} else if (expression.type === "TemplateLiteral") {
// check for ${..} expressions
if (expression.expressions.length === 0) {
allowed = true;
} else {
// check for ${..} expressions
for (var e = 0; e < expression.expressions.length; e++) {
var templateExpression = expression.expressions[e];
if (!allowedExpression(templateExpression, expression)) {
allowed = false;
} // else: contains expressions, but no tagged function? not cool.
break;
}
}
} else if (expression.type === "TaggedTemplateExpression") {
// context.getSource(expression.tag) is the function name
if (VALID_ESCAPERS.indexOf(context.getSource(expression.tag)) !== -1) {

Просмотреть файл

@ -120,8 +120,20 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
{
code: "document.writeln(Sanitizer.escapeHTML`<em>${evil}</em>`);",
ecmaFeatures: features
}
},
// template string expression tests
{
code: "u.innerHTML = `<span>${'lulz'}</span>`;",
ecmaFeatures: features
},
{
code: "v.innerHTML = `<span>${'lulz'}</span>${55}`;",
ecmaFeatures: features
},
{
code: "w.innerHTML = `<span>${'lulz'+'meh'}</span>`;",
ecmaFeatures: features
},
],
// Examples of code that should trigger the rule
@ -167,6 +179,26 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
}
]
},
{
code: "t.innerHTML = `<span>${name}</span>`;",
errors: [
{
message: "Unsafe assignment to innerHTML",
type: "AssignmentExpression"
}
],
ecmaFeatures: features
},
{
code: "t.innerHTML = `<span>${'foobar'}</span>${evil}`;",
errors: [
{
message: "Unsafe assignment to innerHTML",
type: "AssignmentExpression"
}
],
ecmaFeatures: features
},
// insertAdjacentHTML examples
{
code: "node.insertAdjacentHTML('beforebegin', htmlString);",