Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike

Перейти к файлу

Frederik Braun a8f9e0e2b3 addressing unsafe uses of the sanitizer, bug 1192595		2015-09-10 10:01:15 +02:00
lib/rules	Bug 1198200: eslint gives up on some simple innerHTML assignments	2015-09-09 11:25:11 +02:00
tests/rules	addressing unsafe uses of the sanitizer, bug 1192595	2015-09-10 10:01:15 +02:00
.gitignore	first commit	2015-05-13 11:13:15 +02:00
.travis.yml	version 0.1.5	2015-06-09 14:58:31 +02:00
README.md	Rename Tagged library to Sanitizer	2015-06-08 21:20:57 -07:00
index.js	adding call to unwrapper to allowed right-hand side	2015-06-05 12:00:59 +02:00
package.json	bump version	2015-09-09 10:44:52 +02:00

README.md

Disallow unsafe HTML templating (no-unsafe-innerhtml)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.