Socket
Socket
Sign inDemoInstall

eslint-plugin-no-unsanitized

Package Overview
Dependencies
Maintainers
1
Versions
20
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

eslint-plugin-no-unsanitized - npm Package Compare versions

Comparing version 3.0.2 to 3.1.0

0001-also-update-peer-dependency.patch
0002-fix-linting-errors.patch
0003-supply-babel-eslint-as-path-rather-than-as-name-when.patch
0004-minor-bump-due-to-major-eslint-dependency-change.patch
CODE_OF_CONDUCT.md
LICENSE
setattribute.patch
tests/rules/foo.html

1

index.js

@@ -9,2 +9,3 @@ /* global module, require */

DOM: {
plugins: ["no-unsanitized"],
rules: {

@@ -11,0 +12,0 @@ "no-unsanitized/property": [

13

lib/ruleHelper.js

@@ -122,2 +122,5 @@ /**

break;
case "Import":
methodName = "import";
break;
default:

@@ -207,3 +210,10 @@ this.reportUnsupported(node, "Unexpected callable", `unexpected ${node.type} in normalizeMethodName`);

// However if they have missing keys merge with default
const ruleCheck = Object.assign({},
const ruleCheck = Object.assign(
"defaultDisable" in parentRuleChecks ? {} :
{
escape: {
taggedTemplates: ["Sanitizer.escapeHTML", "escapeHTML"],
methods: ["Sanitizer.unwrapSafeHTML", "unwrapSafeHTML"]
}
},
defaultRuleChecks[ruleCheckKey],

@@ -214,2 +224,3 @@ parentRuleChecks,

});
return ruleCheckOutput;

@@ -216,0 +227,0 @@ },

27

lib/rules/method.js

@@ -23,2 +23,8 @@ /* global module */

// check first parameter of import()
import: {
properties: [0]
},
// check first parameter to createContextualFragment()

@@ -65,2 +71,20 @@ createContextualFragment: {

case "Import":
ruleHelper.checkMethod(callExpr);
break;
case "SequenceExpression": {
// the return value of a SequenceExpression is the last expression.
// So, we create a new mock CallExpression with the actually called
// ... expression as the callee node and pass it to checkMethod()
const newCallExpr = Object.assign({}, callExpr);
const idx = node.expressions.length - 1;
const called = node.expressions[idx];
newCallExpr.callee = called;
ruleHelper.checkMethod(newCallExpr);
break;
}
// those are fine:

@@ -75,3 +99,2 @@ case "LogicalExpression": // Should we scan these? issue #62.

case "NewExpression":
case "Import":
break;

@@ -81,3 +104,3 @@

default:
ruleHelper.reportUnsupported(node, "Unexpected Callee", "Unsupported Callee for CallExpression");
ruleHelper.reportUnsupported(node, "Unexpected Callee", `Unsupported Callee of type '${node.type}' for CallExpression`);
}

@@ -84,0 +107,0 @@ }

10

package.json
{
"name": "eslint-plugin-no-unsanitized",
"description": "ESLint rule to disallow unsanitized code",
"version": "3.0.2",
"version": "3.1.0",
"author": {

@@ -12,8 +12,8 @@ "name": "Frederik Braun et al."

"devDependencies": {
"babel-eslint": "^8.2.3",
"eslint": "^4.16.0",
"mocha": "^5.1.1"
"babel-eslint": "^8.2.6",
"eslint": "^5.0.0",
"mocha": "^5.2.0"
},
"peerDependencies": {
"eslint": ">=3"
"eslint": "^5"
},

@@ -20,0 +20,0 @@ "homepage": "https://github.com/mozilla/eslint-plugin-no-unsanitized/",

8

README.md

@@ -18,3 +18,3 @@ [![Build Status](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized.svg?branch=master)](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized)

E.g., `document.write()` or `insertAdjacentHTML()`.
See [docs/method.md](docs/method.md) for more.
See [docs/rules/method.md](docs/rules/method.md) for more.

@@ -24,3 +24,3 @@ ## property

See [docs/property.md](docs/property.md) for more.
See [docs/rules/property.md](docs/rules/property.md) for more.

@@ -58,8 +58,6 @@

In your eslint.json file enable this rule with the following:
In your `.eslintrc.json` file enable this rule with the following:
```
{
"plugins": ["no-unsanitized"],
"extends": ["plugin:no-unsanitized/DOM"]

@@ -66,0 +64,0 @@ }

148

tests/rules/method.js

@@ -156,2 +156,50 @@ /* global require */

},
{ // issue 108: adding tests for custom escaper
code: "range.createContextualFragment(templateEscaper`<em>${evil}</em>`);",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
taggedTemplates: ["templateEscaper"]
}
}
]
},
{ // issue 108: adding tests for custom escaper
code: "n.insertAdjacentHTML('afterend', DOMPurify.sanitize(evil));",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
methods: ["DOMPurify.sanitize"]
}
}
]
},
{ // issue 108: adding tests for custom escaper
code: "n.insertAdjacentHTML('afterend', DOMPurify.sanitize(evil, options));",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
methods: ["DOMPurify.sanitize"]
}
}
]
},
{ // issue 108: adding tests for custom escaper
code: "n.insertAdjacentHTML('afterend', DOMPurify.sanitize(evil, {ALLOWED_TAGS: ['b']}));",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
methods: ["DOMPurify.sanitize"]
}
}
]
},
{ // basic support for SequenceExpressions, which always return the last item - fixes #113
code: "let a = (0,1,2,34);",
parserOptions: { ecmaVersion: 6 },
}
],

@@ -312,4 +360,102 @@

]
}
},
// Issue NN: Disallow import() with non-literal params
{
code: "import(foo)",
parser: "babel-eslint",
errors: [
{
message: "Unsafe call to import for argument 0",
type: "CallExpression"
}
]
},
{ // basic support for SequenceExpressions, which always return the last item - fixes #113
code: "(0, node.insertAdjacentHTML)('beforebegin', evil);",
parserOptions: { ecmaVersion: 6 },
errors: [
{
message: "Unsafe call to node.insertAdjacentHTML for argument 1",
type: "CallExpression"
}
]
},
{ // issue 108: adding tests for custom escaper
// in this case we allow a function for templates, but it's used as a method
code: "n.insertAdjacentHTML('afterend', templateEscaper(evil, options));",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
taggedTemplates: ["templateEscaper"]
}
}
],
errors: [
{
message: "Unsafe call to n.insertAdjacentHTML for argument 1",
type: "CallExpression"
}
]
},
{ // issue 108: adding tests for custom escaper
// in this case we allow a function for methods, but it's used fo template strings
code: "n.insertAdjacentHTML('afterend', sanitize`<em>${evil}</em>`);",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
methods: ["sanitize"]
}
}
],
errors: [
{
message: "Unsafe call to n.insertAdjacentHTML for argument 1",
type: "CallExpression"
}
]
},
{
code: "document.writeln(Sanitizer.escapeHTML`<em>${evil}</em>`);",
parserOptions: { ecmaVersion: 6 },
options: [
{
defaultDisable: true
},
{
// check first parameter to .writeLn(), as long as the preceeding object matches the regex "document"
writeln: {
objectMatches: [
"document"
],
properties: [0],
escape: {
methods: [],
taggedTemplates: [],
}
}
}
],
errors: [
{
message: "Unsafe call to document.writeln for argument 0",
type: "CallExpression"
}
]
},
{ // basic support for SequenceExpressions, which always return the last item - fixes #113
code: "(0, node.insertAdjacentHTML)('beforebegin', evil);",
parserOptions: { ecmaVersion: 6 },
errors: [
{
message: "Unsafe call to node.insertAdjacentHTML for argument 1",
type: "CallExpression"
}
]
},
]
});

25

tests/rules/property.js

@@ -122,3 +122,2 @@ /* global require */

// Native method (Check customize code doesn't include these)

@@ -128,2 +127,26 @@ {

},
{ // issue 108: adding tests for custom escaper
code: "w.innerHTML = templateEscaper`<em>${evil}</em>`;",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
taggedTemplates: ["templateEscaper"]
}
}
]
},
{ // issue 108: adding tests for custom escaper
code: "w.innerHTML = DOMPurify.sanitize('<em>${evil}</em>');",
parserOptions: { ecmaVersion: 6 },
options: [
{
escape: {
methods: ["DOMPurify.sanitize"]
}
}
]
},
],

@@ -130,0 +153,0 @@ 

.travis.yml

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc