Update S1523 (code-eval): merge ESLint no-script-url

its/ruling/src/test/expected/js/backbone/javascript-S1523.json

@@ -1,4 +1,7 @@
 {
+"backbone:backbone.js": [
+1875
+],
 "backbone:index.html": [
 5252
 ]

its/ruling/src/test/expected/js/es5-shim/javascript-S1523.json

@@ -0,0 +1,5 @@
+{
+"es5-shim:es5-sham.js": [
+255
+]
+}

its/ruling/src/test/expected/js/jStorage/javascript-S1523.json

@@ -0,0 +1,5 @@
+{
+"jStorage:example/index.html": [
+82
+]
+}

its/ruling/src/test/expected/js/javascript-test-sources/javascript-S1523.json

@@ -14,5 +14,11 @@
 ],
 "javascript-test-sources:src/ace/tool/mode_creator.js": [
 214
+],
+"javascript-test-sources:src/ecmascript6/Ghost/core/client/app/components/gh-skip-link.js": [
+16
+],
+"javascript-test-sources:src/ecmascript6/Ghost/core/client/tests/integration/components/gh-navitem-url-input-test.js": [
+293
 ]
 }

src/linting/eslint/rules/code-eval.ts

@@ -22,11 +22,15 @@
 
 import { Rule } from 'eslint';
 import * as estree from 'estree';
+import { eslintRules } from 'linting/eslint/rules/core';
+
+const noScriptUrlRule = eslintRules['no-script-url'];
 
 export const rule: Rule.RuleModule = {
   meta: {
     messages: {
       safeCode: 'Make sure that this dynamic injection or execution of code is safe.',
+      unexpectedScriptURL: "Make sure that 'javascript:' code is safe as it is a form of eval().",
     },
   },
   create(context: Rule.RuleContext) {
@@ -35,6 +39,7 @@ export const rule: Rule.RuleModule = {
         checkCallExpression(node as estree.CallExpression, context),
       NewExpression: (node: estree.Node) =>
         checkCallExpression(node as estree.CallExpression, context),
+      ...noScriptUrlRule.create(context),
     };
   },
 };

tests/linting/eslint/rules/code-eval.test.ts

@@ -101,5 +101,9 @@ ruleTester.run('Dynamically executing code is security-sensitive', rule, {
       code: `new Function('a', x)`,
       errors: 1,
     },
+    {
+      code: `location.href = 'javascript: void(0)';`,
+      errors: 1,
+    },
   ],
 });