Docs: split out documentation per-rule and add files for fixing violations and customization

2017-07-18 13:03:53 +02:00 · 2017-07-18 13:03:53 +02:00 · 3c82cab235
--- a/docs/rules/customization.md
+++ b/docs/rules/customization.md
@ -0,0 +1,34 @@
+# Customization
+
+You can customize the way this rule works in various ways.
+* Add to the list of properties or functions to be checked for potentially
+dangers variable input
+* Add to the list of allowed escaping functions to mitigate security concerns
+* Besides adding to the list, you may override the defaults and provide an exhaustive list yourself
+
+## Examples
+### Disallow the `html` function by specifically checking input for the first function parameter
+```json
+{
+ "rules": {
+        "no-unsanitized/method": [
+            "error",
+            {
+            },
+            {
+                "html": {
+                    "properties": [0]
+                }
+            }
+        ]
+  }
+}
+```
+
+### Override list of escaping functions for property assignments only 
+TBD
+
+
+#### More
+* See [our rule schema definition](SCHEMA.md). 
+
--- a/docs/rules/fixing-violations.md
+++ b/docs/rules/fixing-violations.md
@ -1,27 +1,4 @@
-# eslint-plugin-no-unsanitized
-
-Rules in *eslint-plugin-no-unsanitized* perform basic security
-checks. The idea of these checks is to ensure that certain insecure
-coding patterns are avoided in our codebase. We encourage developers
-to use HTML sanitizers or escapers.
-
-
-## Unsafe assignment to innerHTML or outerHTML (no-unsanitized/property)
-The error message suggests that you are using an unsafe coding
-pattern. Please do not assign varaibles to innerHTML, if at all
-possible. Instead, we suggest using a sanitizer or escaping
-function, e.g.,
-[sanitizer.js](https://github.com/fxos-eng/sanitizer) 
-
-
-## Unsafe call to insertAdjacentHTML, document.write or document.writeln (no-unsanitized/method)
-
-This error message suggests that you are using an unsafe coding
-pattern. Please do not simply call insertAdjacentHTML with a
-variable parameter.
-
-## Fixing linter errors
-
+# Fixing Rule Violations
 The default configuration will allow your code to pass if it ensures
 that all user input is properly escaped.
 Using the [sanitizer.js](https://github.com/fxos-eng/sanitizer) 
@ -34,8 +11,8 @@ foo.innerHTML = Sanitizer.escapeHTML`<a href="${link}">click</a>`
 // example for no-unsanitized/method
 node.insertAdjacentHTML('afterend', Sanitizer.escapeHTML`<a href="${link}">click</a>`);
 ```
-### Wrapping & Unwrapping

+## Wrapping & Unwrapping
 If you need to generate your HTML somewhere else and e.g. cache it,
 you won't be able to run `escapeHTML` on a string that knows no
 distinction between HTML and user inputs.
@ -59,6 +36,7 @@ function useGreeting(domNode) {
 }
 ```

-## That still does not solve my problem
+# That still does not solve my problem
 It might very well be the case that there's a bug in our linter rule.
-(Please file an issue.](https://github.com/mozilla/eslint-plugin-no-unsanitized/issues/new)
+
+[Please file an issue.](https://github.com/mozilla/eslint-plugin-no-unsanitized/issues/new)
--- a/docs/rules/method.md
+++ b/docs/rules/method.md
@ -0,0 +1,17 @@
+# method
+The *method* rule in *eslint-plugin-no-unsanitized* perform basic security
+checks for function calls. The idea of these checks is to ensure that certain insecure
+coding patterns are avoided in your codebase. We encourage developers
+to use HTML sanitizers or escapers to mitigate those insecure patterns.
+
+## Unsafe call to insertAdjacentHTML, document.write or document.writeln
+This error message suggests that you are using an unsafe coding
+pattern. Please do not simply call functions like `insertAdjacentHTML` with a
+variable parameter, as this might cause Cross-Site Scripting (XSS)
+vulnerabilities. We encourage you to construct DOM nodes using `createElement`
+and changing their attributes (e.g., `textContent`, `classList`) instead.
+
+### Further Reading
+* Advanced guidance on [Fixing rule violations](fixing-violations.md)
+* This rule has some [customization](customization.md) options that allow you
+to add or remove functions that should not be called
--- a/docs/rules/property.md
+++ b/docs/rules/property.md
@ -0,0 +1,18 @@
+# property
+The *property* rule in *eslint-plugin-no-unsanitized* perform basic security
+checks for property assignments. The idea of these checks is to ensure that
+certain insecure coding patterns are avoided in your codebase. We encourage
+developers to use HTML sanitizers or escapers to mitigate those insecure
+patterns.
+
+## Unsafe assignment to innerHTML or outerHTML 
+This error message suggests that you are using an unsafe coding
+pattern. Please do not simply assign variables to `innertHTML`,
+as this might cause Cross-Site Scripting (XSS) vulnerabilities.
+We encourage you to construct DOM nodes using `createElement`
+and changing their attributes (e.g., `textContent`, `classList`) instead.
+
+### Further Reading
+* Advanced guidance on [Fixing rule violations](fixing-violations.md)
+* This rule has some [customization](customization.md) options that allow you
+to add or remove functions that should not be called