зеркало из
1
0
Форкнуть 0
Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
Перейти к файлу
Frederik 0b5680023c Try checking AssignmentExpression, not :exit. 2017-03-17 14:30:15 +01:00
lib/rules Try checking AssignmentExpression, not :exit. 2017-03-17 14:30:15 +01:00
tests/rules Fix #18: remove whitelisting through comments (#20) 2017-03-17 14:24:20 +01:00
.eslintrc create .eslintrc, re-indent and fix some other minor issues 2015-11-05 12:30:07 +01:00
.gitignore first commit 2015-05-13 11:13:15 +02:00
.travis.yml Prepare 1.0.15 (#12) 2016-09-30 13:22:50 +02:00
NOTES add note to NOTES 2015-11-05 11:59:36 +01:00
README.md travis ci image in readme 2015-11-05 11:41:48 +01:00
index.js make ourselves eslint-testable 2015-09-10 12:46:42 +02:00
package.json releasing version 1.0.16 2017-03-06 10:03:14 +01:00

README.md

Build Status

Disallow unsafe HTML templating (no-unsafe-innerhtml)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.