Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike

Перейти к файлу

Frederik Braun 86e1a5270c s/no-unsafe-innerhtml/no-unsanitized/g		2017-04-05 09:27:49 +02:00
lib/rules	s/no-unsafe-innerhtml/no-unsanitized/g	2017-04-05 09:27:49 +02:00
tests/rules	s/no-unsafe-innerhtml/no-unsanitized/g	2017-04-05 09:27:49 +02:00
.eslintrc	Adding allow list for assignment expressions. Fixes #42 (#43 )	2017-03-22 16:24:37 +01:00
.gitignore	first commit	2015-05-13 11:13:15 +02:00
.travis.yml	Prepare 1.0.15 (#12 )	2016-09-30 13:22:50 +02:00
NOTES	adding note to NOTES	2017-03-21 09:56:23 +01:00
README.md	s/no-unsafe-innerhtml/no-unsanitized/g	2017-04-05 09:27:49 +02:00
index.js	s/no-unsafe-innerhtml/no-unsanitized/g	2017-04-05 09:27:49 +02:00
package.json	s/no-unsafe-innerhtml/no-unsanitized/g	2017-04-05 09:27:49 +02:00

README.md

Disallow unsanitized DOM access (no-unsanitized)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of our products and services.