-
Notifications
You must be signed in to change notification settings - Fork 34
/
README.md
108 lines (77 loc) · 2.47 KB
/
README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
[![Build Status](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized.svg?branch=master)](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized)
# Disallow unsanitized code (no-unsanitized)
These rules disallow unsafe coding practices that may result into security
vulnerabilities. We will disallow assignments (e.g., to innerHTML) as well as
calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping
function. The escaping functions must be called with a template string.
The function names are hardcoded as `Sanitizer.escapeHTML` and `escapeHTML`.
The plugin also supports the
[Sanitizer API](https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API)
and calls to `.setHTML()` are also allowed by default.
This plugin is built for and used within Mozilla to maintain and improve the security
of our products and services.
# Rule Details
## method
The _method_ rule disallows certain function calls.
E.g., `document.write()` or `insertAdjacentHTML()`.
See [docs/rules/method.md](docs/rules/method.md) for more.
## property
The _property_ rule disallows certain assignment expressions, e.g., to `innerHTML`.
See [docs/rules/property.md](docs/rules/property.md) for more.
## Examples
Here are a few examples of code that we do not want to allow:
```js
foo.innerHTML = input.value;
bar.innerHTML = "<a href='" + url + "'>About</a>";
```
A few examples of allowed practices:
```js
foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;
```
# Install
With **yarn** or **npm**:
```bash
$ yarn add -D eslint-plugin-no-unsanitized
$ npm install --save-dev eslint-plugin-no-unsanitized
```
## Usage
### Flat config
```js
import nounsanitized from "eslint-plugin-no-unsanitized";
export default config = [nounsanitized.configs.recommended];
```
or
```js
import nounsanitized from "eslint-plugin-no-unsanitized";
export default config = [
{
files: ["**/*.js"],
plugins: { nounsanitized },
rules: {
"no-unsanitized/method": "error",
"no-unsanitized/property": "error",
},
},
];
```
### eslintrc
In your `.eslintrc.json` file enable this rule with the following:
```json
{
"extends": ["plugin:no-unsanitized/recommended-legacy"]
}
```
Or:
```json
{
"plugins": ["no-unsanitized"],
"rules": {
"no-unsanitized/method": "error",
"no-unsanitized/property": "error"
}
}
```
# Documentation
See [docs/](docs/).