UNPKG

eslint-plugin-no-unsanitized

Version:

ESLint rule to disallow unsanitized code

github.com/mozilla/eslint-plugin-no-unsanitized/

mozilla/eslint-plugin-no-unsanitized

105 lines (96 loc) 3.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/** * @file ESLint rule to disallow unsanitized property assignment * @author Frederik Braun et al. * @copyright 2015-2017 Mozilla Corporation. All rights reserved. */ "use strict"; const RuleHelper = require("../ruleHelper"); //------------------------------------------------------------------------------ // Rule Definition //------------------------------------------------------------------------------ const defaultRuleChecks = { // Check unsafe assignment to innerHTML innerHTML: {}, // Check unsafe assignment to outerHTML outerHTML: {}, }; module.exports = { meta: { type: "problem", docs: { description: "ESLint rule to disallow unsanitized property assignment", category: "possible-errors", url: "https://github.com/mozilla/eslint-plugin-no-unsanitized/tree/master/docs/rules/property.md", }, schema: [ { type: "object", properties: { escape: { type: "object", properties: { taggedTemplates: { type: "array", items: [{ type: "string" }], }, methods: { type: "array", items: [{ type: "string" }], }, }, }, variableTracing: { type: "boolean" }, }, additionalProperties: false, }, { type: "object", }, ], }, create(context) { const ruleHelper = new RuleHelper(context, defaultRuleChecks); // operators to not check, such as X.innerHTML *= 12; is likely very safe // This list explicitly doesn't check ["=", "+="] or any newer operators that have not been reviewed // - https://github.com/estree/estree/blob/master/es5.md#assignmentoperator // - https://github.com/estree/estree/blob/master/es2016.md#assignmentoperator const PERMITTED_OPERATORS = [ "-=", "*=", "/=", "%=", "<<=", ">>=", ">>>=", "|=", "^=", "&=", "**=", ]; // operators to match against, such as X.innerHTML += foo const CHECK_REQUIRED_OPERATORS = ["=", "+=", "||=", "&&=", "??="]; return { AssignmentExpression(node) { // called when an identifier is found in the tree. // the "exit" prefix ensures we know all subnodes already. if ("property" in node.left) { // If we don't have an operator we safely ignore if (PERMITTED_OPERATORS.indexOf(node.operator) === -1) { if ( CHECK_REQUIRED_OPERATORS.indexOf(node.operator) === -1 ) { ruleHelper.reportUnsupported( node, "Unexpected Assignment", `Unsupported Operator ${encodeURIComponent(node.operator)} for AssignmentExpression` ); } ruleHelper.checkProperty(node); } } }, }; }, };