This function disallows unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.

Keywords

FAQs

What is eslint-plugin-no-unsafe-innerhtml?

Is eslint-plugin-no-unsafe-innerhtml popular?

Is eslint-plugin-no-unsafe-innerhtml well maintained?

Last updated on 06 Mar 2017

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

eslint-plugin-no-unsafe-innerhtml

Disallow unsafe HTML templating (no-unsafe-innerhtml)

Rule Details

Keywords

Related posts

New axobject-query Maintainer Faces Backlash Over Controversial Decision to Support Legacy Node.js Versions

2023 State of JavaScript Survey Highlights: Vite Dominates, TypeScript Adoption Soars