Add warning about use of unsafe innerHTML

[EnTeQuAk]

Fixes #811 and references (but doesn't fix it yet imho) #1113

This PR improves 3rd party rule support where needed along the way. Also adapts other rules a bit, e.g to correctly resolve the current working directory. See the actual commits for more details.

This now uses CLIEngine.executeOnText instead of eslint.verify to make sure plugins and processors are properly loaded. We could have done that ourselves but it felt more appropriate to just use that API. This messes a bit with the current working directory (now absolute paths are present in context.getFilename) but that's reasonable.

[EnTeQuAk]

There is an upstream PR that needs merging first (mozilla/eslint-plugin-no-unsanitized#16) so this will be updated once that happens.

[coveralls]

Coverage remained the same at 100.0% when pulling cece6c3 on feature/811-add-innerhtml-rule into f1d8368 on master.

[coveralls]

Coverage remained the same at 100.0% when pulling 8306bd7 on feature/811-add-innerhtml-rule into 0853ce4 on master.

[EnTeQuAk]

This might need a bit more work and testing. I'd love to forward the actual package path to the rules eventually but for now this seems to work just fine. (also this rule will be removed anyway but it's a good example)

[muffinresearch]

Nice!

[muffinresearch]

Presumably this change also means that eslintrc's nested in a webext can't override anything. It would be good to add an explicit test for something like that.

[EnTeQuAk]

I added #1141 for this, could be a rabbit-hole so I'd like to do that as a separate task.

[muffinresearch]

Ok, that's fine we should try and avoid a release until that's checked - a quick local check would suffice though.

[EnTeQuAk]

I checked locally and couldn't find an obvious way to overwrite default checks (checked with innerHTML)

[EnTeQuAk]

That doesn't work without that option too though as far as I see.

[muffinresearch]

I could see this could potentially break with using the linter via web-ext.

[EnTeQuAk]

Yeah, I want to make this configurable and maybe forward the actual package path, not sure yet, see #1140 (comment) on that.

Generally, this is how eslint does things anyway so I don't expect there to be any major problems.

[muffinresearch]

Looks pretty good. I like how the rule doesn't worry about static values.

I notice it doesn't catch bracket syntax:

foo['innerHTML'] = "<a href='"+url+"'>About</a>";

But it's a good start in any case.

r+wc

[muffinresearch]

One other thing - I see the rule allows for specific use of a escaping functions that would also in our case mean that if you wrap something in a function with the right name you would bypass the warning.

It might be nice to be able to disable that for our case (probably an upstream patch). Or alternatively we could look to making some policy where we utiise that feature and define a list of acceptable sanitization function names. Either way that probably needs to be discussed with Andreas etc.

[EnTeQuAk]

I notice it doesn't catch bracket syntax

I'd say, let's file this at https://github.com/mozfreddyb/eslint-plugin-no-unsafe-innerhtml to get this in upstream.

One other thing - I see the rule allows for specific use of a escaping functions that would also in our case mean that if you wrap something in a function with the right name you would bypass the warning.

It might be nice to be able to disable that for our case (probably an upstream patch). Or alternatively we could look to making some policy where we utiise that feature and define a list of acceptable sanitization function names. Either way that probably needs to be discussed with Andreas etc.

Can you elaborate on this a little bit more / maybe file appropriate tickets? I feel like I don't get what you mean right now.

[EnTeQuAk]

I merged it, let's improve this incrementally from now on. I feel like it catches a lot and all rules should be subject to incremental improvement and re-evaluation.

[kewisch]

It might be nice to be able to disable that for our case (probably an upstream patch). Or alternatively we could look to making some policy where we utiise that feature and define a list of acceptable sanitization function names. Either way that probably needs to be discussed with Andreas etc.

Personally I think we can catch this with policy. Yes, the escapeHTML function would allow circumventing the warning, but escapeHTML is indeed the most common function name for functions that escape html. If wanted we could add another rule that makes sure the escapeHTML function does what it is supposed to do (by requiring the one we have in MDN). @wagnerand ?