eslint-plugin-no-unsanitized
Advanced tools
Comparing version 3.0.2 to 3.1.0
@@ -9,2 +9,3 @@ /* global module, require */ | ||
DOM: { | ||
plugins: ["no-unsanitized"], | ||
rules: { | ||
@@ -11,0 +12,0 @@ "no-unsanitized/property": [ |
@@ -122,2 +122,5 @@ /** | ||
break; | ||
case "Import": | ||
methodName = "import"; | ||
break; | ||
default: | ||
@@ -207,3 +210,10 @@ this.reportUnsupported(node, "Unexpected callable", `unexpected ${node.type} in normalizeMethodName`); | ||
// However if they have missing keys merge with default | ||
const ruleCheck = Object.assign({}, | ||
const ruleCheck = Object.assign( | ||
"defaultDisable" in parentRuleChecks ? {} : | ||
{ | ||
escape: { | ||
taggedTemplates: ["Sanitizer.escapeHTML", "escapeHTML"], | ||
methods: ["Sanitizer.unwrapSafeHTML", "unwrapSafeHTML"] | ||
} | ||
}, | ||
defaultRuleChecks[ruleCheckKey], | ||
@@ -214,2 +224,3 @@ parentRuleChecks, | ||
}); | ||
return ruleCheckOutput; | ||
@@ -216,0 +227,0 @@ }, |
@@ -23,2 +23,8 @@ /* global module */ | ||
// check first parameter of import() | ||
import: { | ||
properties: [0] | ||
}, | ||
// check first parameter to createContextualFragment() | ||
@@ -65,2 +71,20 @@ createContextualFragment: { | ||
case "Import": | ||
ruleHelper.checkMethod(callExpr); | ||
break; | ||
case "SequenceExpression": { | ||
// the return value of a SequenceExpression is the last expression. | ||
// So, we create a new mock CallExpression with the actually called | ||
// ... expression as the callee node and pass it to checkMethod() | ||
const newCallExpr = Object.assign({}, callExpr); | ||
const idx = node.expressions.length - 1; | ||
const called = node.expressions[idx]; | ||
newCallExpr.callee = called; | ||
ruleHelper.checkMethod(newCallExpr); | ||
break; | ||
} | ||
// those are fine: | ||
@@ -75,3 +99,2 @@ case "LogicalExpression": // Should we scan these? issue #62. | ||
case "NewExpression": | ||
case "Import": | ||
break; | ||
@@ -81,3 +104,3 @@ | ||
default: | ||
ruleHelper.reportUnsupported(node, "Unexpected Callee", "Unsupported Callee for CallExpression"); | ||
ruleHelper.reportUnsupported(node, "Unexpected Callee", `Unsupported Callee of type '${node.type}' for CallExpression`); | ||
} | ||
@@ -84,0 +107,0 @@ } |
{ | ||
"name": "eslint-plugin-no-unsanitized", | ||
"description": "ESLint rule to disallow unsanitized code", | ||
"version": "3.0.2", | ||
"version": "3.1.0", | ||
"author": { | ||
@@ -12,8 +12,8 @@ "name": "Frederik Braun et al." | ||
"devDependencies": { | ||
"babel-eslint": "^8.2.3", | ||
"eslint": "^4.16.0", | ||
"mocha": "^5.1.1" | ||
"babel-eslint": "^8.2.6", | ||
"eslint": "^5.0.0", | ||
"mocha": "^5.2.0" | ||
}, | ||
"peerDependencies": { | ||
"eslint": ">=3" | ||
"eslint": "^5" | ||
}, | ||
@@ -20,0 +20,0 @@ "homepage": "https://github.com/mozilla/eslint-plugin-no-unsanitized/", |
@@ -18,3 +18,3 @@ [![Build Status](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized.svg?branch=master)](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized) | ||
E.g., `document.write()` or `insertAdjacentHTML()`. | ||
See [docs/method.md](docs/method.md) for more. | ||
See [docs/rules/method.md](docs/rules/method.md) for more. | ||
@@ -24,3 +24,3 @@ ## property | ||
See [docs/property.md](docs/property.md) for more. | ||
See [docs/rules/property.md](docs/rules/property.md) for more. | ||
@@ -58,8 +58,6 @@ | ||
In your eslint.json file enable this rule with the following: | ||
In your `.eslintrc.json` file enable this rule with the following: | ||
``` | ||
{ | ||
"plugins": ["no-unsanitized"], | ||
"extends": ["plugin:no-unsanitized/DOM"] | ||
@@ -66,0 +64,0 @@ } |
@@ -156,2 +156,50 @@ /* global require */ | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
code: "range.createContextualFragment(templateEscaper`<em>${evil}</em>`);", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
taggedTemplates: ["templateEscaper"] | ||
} | ||
} | ||
] | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
code: "n.insertAdjacentHTML('afterend', DOMPurify.sanitize(evil));", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
methods: ["DOMPurify.sanitize"] | ||
} | ||
} | ||
] | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
code: "n.insertAdjacentHTML('afterend', DOMPurify.sanitize(evil, options));", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
methods: ["DOMPurify.sanitize"] | ||
} | ||
} | ||
] | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
code: "n.insertAdjacentHTML('afterend', DOMPurify.sanitize(evil, {ALLOWED_TAGS: ['b']}));", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
methods: ["DOMPurify.sanitize"] | ||
} | ||
} | ||
] | ||
}, | ||
{ // basic support for SequenceExpressions, which always return the last item - fixes #113 | ||
code: "let a = (0,1,2,34);", | ||
parserOptions: { ecmaVersion: 6 }, | ||
} | ||
], | ||
@@ -312,4 +360,102 @@ | ||
] | ||
} | ||
}, | ||
// Issue NN: Disallow import() with non-literal params | ||
{ | ||
code: "import(foo)", | ||
parser: "babel-eslint", | ||
errors: [ | ||
{ | ||
message: "Unsafe call to import for argument 0", | ||
type: "CallExpression" | ||
} | ||
] | ||
}, | ||
{ // basic support for SequenceExpressions, which always return the last item - fixes #113 | ||
code: "(0, node.insertAdjacentHTML)('beforebegin', evil);", | ||
parserOptions: { ecmaVersion: 6 }, | ||
errors: [ | ||
{ | ||
message: "Unsafe call to node.insertAdjacentHTML for argument 1", | ||
type: "CallExpression" | ||
} | ||
] | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
// in this case we allow a function for templates, but it's used as a method | ||
code: "n.insertAdjacentHTML('afterend', templateEscaper(evil, options));", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
taggedTemplates: ["templateEscaper"] | ||
} | ||
} | ||
], | ||
errors: [ | ||
{ | ||
message: "Unsafe call to n.insertAdjacentHTML for argument 1", | ||
type: "CallExpression" | ||
} | ||
] | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
// in this case we allow a function for methods, but it's used fo template strings | ||
code: "n.insertAdjacentHTML('afterend', sanitize`<em>${evil}</em>`);", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
methods: ["sanitize"] | ||
} | ||
} | ||
], | ||
errors: [ | ||
{ | ||
message: "Unsafe call to n.insertAdjacentHTML for argument 1", | ||
type: "CallExpression" | ||
} | ||
] | ||
}, | ||
{ | ||
code: "document.writeln(Sanitizer.escapeHTML`<em>${evil}</em>`);", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
defaultDisable: true | ||
}, | ||
{ | ||
// check first parameter to .writeLn(), as long as the preceeding object matches the regex "document" | ||
writeln: { | ||
objectMatches: [ | ||
"document" | ||
], | ||
properties: [0], | ||
escape: { | ||
methods: [], | ||
taggedTemplates: [], | ||
} | ||
} | ||
} | ||
], | ||
errors: [ | ||
{ | ||
message: "Unsafe call to document.writeln for argument 0", | ||
type: "CallExpression" | ||
} | ||
] | ||
}, | ||
{ // basic support for SequenceExpressions, which always return the last item - fixes #113 | ||
code: "(0, node.insertAdjacentHTML)('beforebegin', evil);", | ||
parserOptions: { ecmaVersion: 6 }, | ||
errors: [ | ||
{ | ||
message: "Unsafe call to node.insertAdjacentHTML for argument 1", | ||
type: "CallExpression" | ||
} | ||
] | ||
}, | ||
] | ||
}); |
@@ -122,3 +122,2 @@ /* global require */ | ||
// Native method (Check customize code doesn't include these) | ||
@@ -128,2 +127,26 @@ { | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
code: "w.innerHTML = templateEscaper`<em>${evil}</em>`;", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
taggedTemplates: ["templateEscaper"] | ||
} | ||
} | ||
] | ||
}, | ||
{ // issue 108: adding tests for custom escaper | ||
code: "w.innerHTML = DOMPurify.sanitize('<em>${evil}</em>');", | ||
parserOptions: { ecmaVersion: 6 }, | ||
options: [ | ||
{ | ||
escape: { | ||
methods: ["DOMPurify.sanitize"] | ||
} | ||
} | ||
] | ||
}, | ||
], | ||
@@ -130,0 +153,0 @@ |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Copyleft License
License(Experimental) Copyleft license information was found.
Found 1 instance in 1 package
Mixed license
License(Experimental) Package contains multiple licenses.
Found 1 instance in 1 package
Non-permissive License
License(Experimental) A license not known to be considered permissive was found.
Found 1 instance in 1 package
Unidentified License
License(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Copyleft License
License(Experimental) Copyleft license information was found.
Found 1 instance in 1 package
Non-permissive License
License(Experimental) A license not known to be considered permissive was found.
Found 1 instance in 1 package
115818
25
1208
4
77