disallow document.write and document.writeln (fixes #2)

2015-09-08 12:38:16 +02:00 · 2015-09-08 12:38:16 +02:00 · 3fbbdd72c6
--- a/lib/rules/no-unsafe-innerhtml.js
+++ b/lib/rules/no-unsafe-innerhtml.js
@ -101,7 +101,15 @@ module.exports = function (context) {
            if ("property" in node.callee) {
                if (node.callee.property.name === "insertAdjacentHTML") {
                    if (!allowedExpression(node.arguments[1], node.parent)) {
-                        context.report(node, "Unsafe call to insertAdjacentHTML"); // report error
+                        context.report(node, "Unsafe call to insertAdjacentHTML");
+                    }
+                } else if (context.getSource(node.callee) === "document.write") {
+                    if (!allowedExpression(node.arguments[0], node.parent)) {
+                        context.report(node, "Unsafe call to document.write");
+                    }
+                } else if (context.getSource(node.callee) === "document.writeln") {
+                    if (!allowedExpression(node.arguments[0], node.parent)) {
+                        context.report(node, "Unsafe call to" + " document.writeln");
                    }
                }
            }
--- a/tests/rules/no-unsafe-innerhtml.js
+++ b/tests/rules/no-unsafe-innerhtml.js
@ -103,7 +103,17 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
        {
            code: "y.innerHTML = '<span>' + 5 + '</span>';",
            ecmaFeatures: { templateStrings: true }
+        },
+        // document.write/writeln
+        {
+            code: "document.write('lulz');",
+            ecmaFeatures: { templateStrings: true }
+        },
+        {
+            code: "document.writeln(Sanitizer.escapeHTML`<em>${evil}</em>`);",
+            ecmaFeatures: { templateStrings: true }
        }
+
    ],

    // Examples of code that should trigger the rule
@ -186,6 +196,25 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
                    type: "AssignmentExpression"
                }
            ]
+        },
+        // document.write / writeln
+        {
+            code: "document.write('<span>'+ htmlInput + '</span>');",
+            errors: [
+                {
+                    message: "Unsafe call to document.write",
+                    type: "CallExpression"
+                }
+            ]
+        },
+        {
+            code: "document.writeln(evil);",
+            errors: [
+                {
+                    message: "Unsafe call to document.writeln",
+                    type: "CallExpression"
+                }
+            ]
        }
    ]
 });