USWDS | xss audit, standardization

[scottqueen-bixal]

Description

It was reported in our community channels that an XSS vulnerability exists in our combo-box.js script, and was resolved and deployed from pull request #4287 .

Similar vulnerabilities could be possible through other components that use innerHTML assignments.

Because of this, we have decided to set up a standard at which we should construct elements while limiting similar vulnerabilities, but without losing the ability to build with those methods.

We have included a new linter plugin eslint-plugin-no-unsanitized created by the folks at mozilla, which,

... disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike

This linter will notify contributors when unsafe coding patterns have been used. As the plugin suggests, we recommend,

...to construct DOM nodes using createElement and changing their attributes (e.g., textContent, classList) instead.

When any of these approaches are properly resolved, the linter will no longer throw an error.

We have included the provided sanitizer.js library in our utils which will support fixing these errors. More information can be found in the plugin documentation

• Follow the 18F Front End Coding Style Guide and Accessibility Guide.
• Run npm test and make sure the tests for the files you have changed have passed.
• Run your code through HTML_CodeSniffer and make sure it’s error free.
• Title your pull request using this format: [Website] - [UI component]: Brief statement describing what this pull request solves.

[mejiaj]

Minor comment, but otherwise LGTM.

---

We have some cases of almost duplicate code when checking single or plural. We should refactor in the future.

Examples:
file-input.js:145
file-input.js:282
combobox.js:448

[mejiaj]

Could we simplify this?

const { defaultValue, placeholder } = comboBoxEl.dataset