зеркало из
1
0
Форкнуть 0

Fix #18: remove whitelisting through comments

This commit is contained in:
Frederik Braun 2017-03-17 14:18:05 +01:00
Родитель b073e18b70
Коммит d6e6dddf1a
2 изменённых файлов: 12 добавлений и 22 удалений

Просмотреть файл

@ -38,7 +38,7 @@ module.exports = function (context) {
}
/*
expression = { right-hand side of innerHTML or 2nd param to insertAdjacentHTML
parent is the parent node of the call or assignment. used to look into comments.
parent is the parent node of the call or assignment.
*/
var allowed;
/* check the stringish-part, which is either the right-hand-side of
@ -83,21 +83,6 @@ module.exports = function (context) {
// everything that doesn't match is unsafe:
allowed = false;
}
if (allowed === false) {
// Check for comment that link to approval in bugzilla:
var comments = context.getComments(parent).trailing;
for (var i = 0; i < comments.length; i++) {
var comment = comments[i];
/* looking for comment directly after the semicolon
(same or next line), that matches /bug \d{7,}/.
*/
if (comment.value.match(/a=.*, bug \d{7,}/)) {
allowed = true;
} else if (comment.value.match(/"FIXME: use safe escaping, bug \d{7,}"/)) {
allowed = true;
}
}
}
return allowed;
}

Просмотреть файл

@ -96,11 +96,6 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
code: "n.insertAdjacentHTML('afterend', Sanitizer.escapeHTML`${title}`);",
parserOptions: { ecmaVersion: 6 }
},
// override for manual review and legacy code
{
code: "g.innerHTML = potentiallyUnsafe; // a=legacy, bug 1155131",
parserOptions: { ecmaVersion: 6 }
},
// (binary) expressions
{
code: "x.innerHTML = `foo`+`bar`;",
@ -318,6 +313,16 @@ eslintTester.run("no-unsafe-innerhtml", rule, {
}
],
parserOptions: { ecmaVersion: 6 }
}
},
// the previous override for manual review and legacy code is now invalid
{
code: "g.innerHTML = potentiallyUnsafe; // a=legacy, bug 1155131",
errors: [
{
message: "Unsafe assignment to innerHTML",
type: "AssignmentExpression"
}
]
},
]
});