Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disallowHtmlText failing on bracket in inline JS block #128

Open
gvn opened this issue Mar 14, 2017 · 1 comment
Open

disallowHtmlText failing on bracket in inline JS block #128

gvn opened this issue Mar 14, 2017 · 1 comment

Comments

@gvn
Copy link

gvn commented Mar 14, 2017
edited

The following pug code causes the disallowHtmlText rule to fail.

script.
  (function () {
    var _dntStatus = navigator.doNotTrack || navigator.msDoNotTrack;
    var fxMatch = navigator.userAgent.match(/Firefox\/(\d+)/);
    var ie10Match = navigator.userAgent.match(/MSIE 10/i);
    var w8Match = navigator.appVersion.match(/Windows NT 6.2/);

    if (fxMatch && Number(fxMatch[1]) < 32) {
      _dntStatus = 'Unspecified';
    } else if (ie10Match && w8Match) {
      _dntStatus = 'Unspecified';
    } else {
      _dntStatus = { '0': 'Disabled', '1': 'Enabled' }[_dntStatus] || 'Unspecified';
    }

    if (_dntStatus !== 'Enabled'){
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

      ga('create', 'UA-87658599-6', 'auto');
      ga('send', 'pageview');
    }
  })();

source/pug/templates/master.pug:89:3
    87|     var w8Match = navigator.appVersion.match(/Windows NT 6.2/);
    88|
  > 89|     if (fxMatch && Number(fxMatch[1]) < 32) {
----------^
    90|       _dntStatus = 'Unspecified';
    91|     } else if (ie10Match && w8Match) {
    92|       _dntStatus = 'Unspecified';

HTML text must not be used

I believe this is because of the < character being mistaken for HTML.
@Delagen
Copy link

Delagen commented Aug 8, 2017
edited

+1
Cannot escape even using

|!='value < 10'

Watchieee pushed a commit to Watchieee/pug-lint that referenced this issue Apr 25, 2018
Fixed error to not allow < within script tags, see bug pugjs#128
7db14a6
@Watchieee Watchieee mentioned this issue Apr 25, 2018
Open
Watchieee pushed a commit to Watchieee/pug-lint that referenced this issue Jun 4, 2018
Merge branch 'feature/fix-disallow-html'
ba56ddc 
* feature/fix-disallow-html:
  Fixed error to not allow < within script tags, see bug pugjs#128
koshikishi added a commit to koshikishi/pug-lint-config that referenced this issue Jan 25, 2024
@koshikishi
fix: remove disallowHtmlText rule
b4047c1 
`disallowHtmlText` reports false positives for HTML inside comments and for `<` in inline JS (see pugjs/pug-lint#128)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gvn @Delagen