These rules disallow unsafe coding practices that may result into security
vulnerabilities. We will disallow assignments (e.g., to innerHTML)as well as
calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping
function. The escaping functions must be called with a template string.
The function names are hardcoded as Sanitizer.escapeHTML
and escapeHTML
.
This rule is being used within Mozilla to maintain and improve the security of our products and services.
The method rule disallows certain function calls.
E.g., document.write()
or insertAdjacentHTML()
.
See docs/rules/method.md for more.
The property rule disallows certain assignment expressions, e.g., to innerHTML
.
See docs/rules/property.md for more.
Here are a few examples of code that we do not want to allow:
foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";
A few examples of allowed practices:
foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;
With yarn or npm:
$ yarn add -D eslint-plugin-no-unsanitized
$ npm install --save-dev eslint-plugin-no-unsanitized
In your .eslintrc.json
file enable this rule with the following:
{
"extends": ["plugin:no-unsanitized/DOM"]
}
Or:
{
"plugins": ["no-unsanitized"],
"rules": {
"no-unsanitized/method": "error",
"no-unsanitized/property": "error"
}
}
See docs/.