New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add warning about use of unsafe innerHTML #1140
Conversation
…e-innerhtml and basic tests.
package.json
Outdated
@@ -72,6 +72,7 @@ | |||
"dispensary": "0.10.3", | |||
"es6-promisify": "5.0.0", | |||
"eslint": "3.16.0", | |||
"eslint-plugin-no-unsafe-innerhtml": "EnTeQuAk/eslint-plugin-no-unsafe-innerhtml#4b6b606d50", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an upstream PR that needs merging first (mozilla/eslint-plugin-no-unsanitized#16) so this will be updated once that happens.
export default { | ||
create(context) { | ||
var filename = context.getFilename(); | ||
var relPath = path.relative(process.cwd(), context.getFilename()); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might need a bit more work and testing. I'd love to forward the actual package path to the rules eventually but for now this seems to work just fine. (also this rule will be removed anyway but it's a good example)
allowInlineConfig: false, | ||
filename: this.filename, | ||
// Avoid loading the addons-linter .eslintrc file | ||
useEslintrc: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Presumably this change also means that eslintrc's nested in a webext can't override anything. It would be good to add an explicit test for something like that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added #1141 for this, could be a rabbit-hole so I'd like to do that as a separate task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, that's fine we should try and avoid a release until that's checked - a quick local check would suffice though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked locally and couldn't find an obvious way to overwrite default checks (checked with innerHTML)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That doesn't work without that option too though as far as I see.
export default { | ||
create(context) { | ||
var filename = context.getFilename(); | ||
var relPath = path.relative(process.cwd(), context.getFilename()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could see this could potentially break with using the linter via web-ext.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I want to make this configurable and maybe forward the actual package path, not sure yet, see #1140 (comment) on that.
Generally, this is how eslint does things anyway so I don't expect there to be any major problems.
Looks pretty good. I like how the rule doesn't worry about static values. I notice it doesn't catch bracket syntax: foo['innerHTML'] = "<a href='"+url+"'>About</a>"; But it's a good start in any case. r+wc |
One other thing - I see the rule allows for specific use of a escaping functions that would also in our case mean that if you wrap something in a function with the right name you would bypass the warning. It might be nice to be able to disable that for our case (probably an upstream patch). Or alternatively we could look to making some policy where we utiise that feature and define a list of acceptable sanitization function names. Either way that probably needs to be discussed with Andreas etc. |
I'd say, let's file this at https://github.com/mozfreddyb/eslint-plugin-no-unsafe-innerhtml to get this in upstream.
Can you elaborate on this a little bit more / maybe file appropriate tickets? I feel like I don't get what you mean right now. |
I merged it, let's improve this incrementally from now on. I feel like it catches a lot and all rules should be subject to incremental improvement and re-evaluation. |
Personally I think we can catch this with policy. Yes, the escapeHTML function would allow circumventing the warning, but escapeHTML is indeed the most common function name for functions that escape html. If wanted we could add another rule that makes sure the escapeHTML function does what it is supposed to do (by requiring the one we have in MDN). @wagnerand ? |
Fixes #811 and references (but doesn't fix it yet imho) #1113
This PR improves 3rd party rule support where needed along the way. Also adapts other rules a bit, e.g to correctly resolve the current working directory. See the actual commits for more details.
This now uses
CLIEngine.executeOnText
instead ofeslint.verify
to make sure plugins and processors are properly loaded. We could have done that ourselves but it felt more appropriate to just use that API. This messes a bit with the current working directory (now absolute paths are present incontext.getFilename
) but that's reasonable.