Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable the eslint-plugin-no-unsanitized ESLint plugin to disallow unsafe usage of e.g. innerHTML #10925

Merged
merged 1 commit into from
Jun 27, 2019
Merged

Enable the eslint-plugin-no-unsanitized ESLint plugin to disallow unsafe usage of e.g. innerHTML #10925

merged 1 commit into from
Jun 27, 2019

Conversation

Snuffleupagus
Copy link
Collaborator

See https://github.com/mozilla/eslint-plugin-no-unsanitized

Since we've generally never allowed e.g. innerHTML, which is enforced during review, there's only one linting failure with this patch. (Which is white-listed, according to the existing comment and the fact that it's test-only code.)

@Snuffleupagus
Enable the eslint-plugin-no-unsanitized ESLint plugin to disallow u…
5bb5e77 
…nsafe usage of e.g. `innerHTML`

See https://github.com/mozilla/eslint-plugin-no-unsanitized

Since we've generally never allowed e.g. `innerHTML`, which is enforced during review, there's only one linting failure with this patch. (Which is white-listed, according to the existing comment and the fact that it's test-only code.)
@Snuffleupagus
Copy link
Collaborator Author

Hmm, https://travis-ci.org/mozilla/pdf.js/builds/549334374#L568-L572

@Snuffleupagus
Copy link
Collaborator Author

/botio lint

@pdfjsbot
Copy link

From: Bot.io (Windows)

Received

Command cmd_lint from @Snuffleupagus received. Current queue size: 0

Live output at: http://54.215.176.217:8877/1d8d2ec703f53fe/output.txt

@pdfjsbot
Copy link

From: Bot.io (Linux m4)

Received

Command cmd_lint from @Snuffleupagus received. Current queue size: 0

Live output at: http://54.67.70.0:8877/794fd1e231ce517/output.txt

@pdfjsbot
Copy link

From: Bot.io (Linux m4)

Success

Full output at http://54.67.70.0:8877/794fd1e231ce517/output.txt

Total script time: 0.99 mins

  • Lint: Passed

@pdfjsbot
Copy link

From: Bot.io (Windows)

Success

Full output at http://54.215.176.217:8877/1d8d2ec703f53fe/output.txt

Total script time: 2.83 mins

  • Lint: Passed

@timvandermeij
Copy link
Contributor

timvandermeij commented Jun 23, 2019
edited
Loading

The four lines that failed the Travis CI build before are of the form (0, function)(parameter1, parameter2);, and I don't really know what this is trying to achieve anyway. Is this some syntax for either calling a real function if it exists and otherwise calling 0 as a dummy or something?

It looks like something we should report upstream, but it would be even better if we could find a way to write those four lines differently. They are certainly confusing to me and apparently also to the plugin...

Edit: Apparently it is used to give the correct this scope to the method, see https://stackoverflow.com/questions/35522560/what-does-this-javascript-syntax-mean-0-parsekey2-defaultsomething, but I find this quite obscure; there must be a better way to do this if this is really necessary...

timvandermeij
timvandermeij approved these changes Jun 27, 2019
View reviewed changes
Copy link
Contributor

@timvandermeij timvandermeij left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have been thinking about this some more and I don't yet see an easy fix for the operator list file. Let's merge this because I do see advantages from the additional linting for all files except for one; removing the ignore in the operator list file can always be done at a later time. Thanks!

@timvandermeij timvandermeij merged commit f1867de into mozilla:master Jun 27, 2019
@Snuffleupagus Snuffleupagus deleted the eslint_no-unsanitized branch June 27, 2019 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timvandermeij timvandermeij timvandermeij approved these changes

Assignees
No one assigned
Labels
other
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Snuffleupagus @pdfjsbot @timvandermeij