Skip to content
Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
JavaScript
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs/rules
lib
tests/rules
.eslintrc
.gitignore
.travis.yml Prepare 1.0.15 (#12) Sep 30, 2016
CODE_OF_CONDUCT.md Add Mozilla Code of Conduct file (#103) Apr 1, 2019
LICENSE
NOTES
README.md Fix broken links in readme. (#87) Aug 5, 2018
SCHEMA.md
index.js
package-lock.json Bump lodash from 4.17.11 to 4.17.14 (#106) Jul 15, 2019
package.json v3.0.2 May 22, 2018

README.md

Build Status

Disallow unsanitized code (no-unsanitized)

These rules disallow unsafe coding practices that may result into security vulnerabilities. We will disallow assignments (e.g., to innerHTML)as well as calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

This rule is being used within Mozilla to maintain and improve the security of our products and services.

Rule Details

method

The method rule disallows certain function calls. E.g., document.write() or insertAdjacentHTML(). See docs/rules/method.md for more.

property

The property rule disallows certain assignment expressions, e.g., to innerHTML.

See docs/rules/property.md for more.

Examples

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

Install

With yarn or npm:

$ yarn add -D eslint-plugin-no-unsanitized
$ npm install --save-dev eslint-plugin-no-unsanitized

Usage

In your eslint.json file enable this rule with the following:

{

    "plugins": ["no-unsanitized"],
    "extends": ["plugin:no-unsanitized/DOM"]
}

Or:

{
    "plugins": ["no-unsanitized"],
    "rules": {
        "no-unsanitized/method": "error",
        "no-unsanitized/property": "error"
    }
}

Documentation

See docs/.

You can’t perform that action at this time.