UNPKG

@microsoft/eslint-plugin-sdl

Version:

ESLint plugin focused on common security issues and misconfigurations discoverable during static testing as part of Microsoft Security Development Lifecycle (SDL)

github.com/microsoft/eslint-plugin-sdl

microsoft/eslint-plugin-sdl

83 lines (74 loc) 2.71 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
// Copyright (c) Microsoft Corporation. // Licensed under the MIT License. /** * @fileoverview Rule to disallow assignment to innerHTML or outerHTML properties * @author Antonios Katopodis */ "use strict"; const astUtils = require("../ast-utils"); module.exports = { meta: { type: "suggestion", fixable: "code", schema: [], docs: { description: "Assignments to [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML)/[outerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML) properties or calls to [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) method manipulate DOM directly without any sanitization and should be avoided. Use document.createElement() or similar methods instead.", url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-inner-html.md" }, messages: { noInnerHtml: "Do not write to DOM directly using innerHTML/outerHTML property", noInsertAdjacentHTML: "Do not write to DOM using insertAdjacentHTML method" } }, create: function (context) { const fullTypeChecker = astUtils.getFullTypeChecker(context); function mightBeHTMLElement(node) { const type = astUtils.getNodeTypeAsString(fullTypeChecker, node, context); return type.match(/HTML.*Element/) || type === "any"; } return { "CallExpression[arguments.length=2] > MemberExpression.callee[property.name='insertAdjacentHTML']"( node ) { // Ignore known false positives if ( node.parent != undefined && node.parent.arguments != undefined && node.parent.arguments.length >= 1 && node.parent.arguments[1] != undefined && // element.insertAdjacentHTML('') node.parent.arguments[1].type === "Literal" && node.parent.arguments[1].value === "" ) { return; } if (mightBeHTMLElement(node.object)) { context.report({ node: node, messageId: "noInsertAdjacentHTML" }); } }, "AssignmentExpression[left.type='MemberExpression'][left.property.name=/innerHTML|outerHTML/]"( node ) { // Ignore known false positives if ( node.right != undefined && // element.innerHTML = '' node.right.type === "Literal" && node.right.value === "" ) { return; } if (mightBeHTMLElement(node.left.object)) { context.report({ node: node, messageId: "noInnerHtml" }); } } }; } };