Fix #18: remove whitelisting through comments
This commit is contained in:
Родитель
b073e18b70
Коммит
d6e6dddf1a
|
@ -38,7 +38,7 @@ module.exports = function (context) {
|
|||
}
|
||||
/*
|
||||
expression = { right-hand side of innerHTML or 2nd param to insertAdjacentHTML
|
||||
parent is the parent node of the call or assignment. used to look into comments.
|
||||
parent is the parent node of the call or assignment.
|
||||
*/
|
||||
var allowed;
|
||||
/* check the stringish-part, which is either the right-hand-side of
|
||||
|
@ -83,21 +83,6 @@ module.exports = function (context) {
|
|||
// everything that doesn't match is unsafe:
|
||||
allowed = false;
|
||||
}
|
||||
if (allowed === false) {
|
||||
// Check for comment that link to approval in bugzilla:
|
||||
var comments = context.getComments(parent).trailing;
|
||||
for (var i = 0; i < comments.length; i++) {
|
||||
var comment = comments[i];
|
||||
/* looking for comment directly after the semicolon
|
||||
(same or next line), that matches /bug \d{7,}/.
|
||||
*/
|
||||
if (comment.value.match(/a=.*, bug \d{7,}/)) {
|
||||
allowed = true;
|
||||
} else if (comment.value.match(/"FIXME: use safe escaping, bug \d{7,}"/)) {
|
||||
allowed = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return allowed;
|
||||
}
|
||||
|
||||
|
|
|
@ -96,11 +96,6 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
|
|||
code: "n.insertAdjacentHTML('afterend', Sanitizer.escapeHTML`${title}`);",
|
||||
parserOptions: { ecmaVersion: 6 }
|
||||
},
|
||||
// override for manual review and legacy code
|
||||
{
|
||||
code: "g.innerHTML = potentiallyUnsafe; // a=legacy, bug 1155131",
|
||||
parserOptions: { ecmaVersion: 6 }
|
||||
},
|
||||
// (binary) expressions
|
||||
{
|
||||
code: "x.innerHTML = `foo`+`bar`;",
|
||||
|
@ -318,6 +313,16 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
|
|||
}
|
||||
],
|
||||
parserOptions: { ecmaVersion: 6 }
|
||||
}
|
||||
},
|
||||
// the previous override for manual review and legacy code is now invalid
|
||||
{
|
||||
code: "g.innerHTML = potentiallyUnsafe; // a=legacy, bug 1155131",
|
||||
errors: [
|
||||
{
|
||||
message: "Unsafe assignment to innerHTML",
|
||||
type: "AssignmentExpression"
|
||||
}
|
||||
]
|
||||
},
|
||||
]
|
||||
});
|
||||
|
|
Загрузка…
Ссылка в новой задаче