Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jonathankingston/eslint-plugin-no-unescaped

PLEASE DON'T USE - use eslint-plugin-no-unsanitized instead
https://github.com/jonathankingston/eslint-plugin-no-unescaped

Last synced: about 2 months ago
JSON representation

PLEASE DON'T USE - use eslint-plugin-no-unsanitized instead

Host: GitHub
URL: https://github.com/jonathankingston/eslint-plugin-no-unescaped
Owner: jonathanKingston
Created: 2017-03-13T07:49:10.000Z (almost 8 years ago)
Default Branch: master
Last Pushed: 2017-05-09T12:00:39.000Z (over 7 years ago)
Last Synced: 2024-11-18T22:24:57.102Z (2 months ago)
Language: JavaScript
Homepage: https://twitter.com/KingstonTime/
Size: 9.77 KB
Stars: 0
Watchers: 3
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # DEPRECATED DO NOT USE

Use https://www.npmjs.com/package/eslint-plugin-no-unsanitized instead, thanks!.

**No further changes are planned here**

# eslint-plugin-no-unescaped

Checks for the following unsafe property assignement issues in code:

## no-key-assignment

```

  const me = "innerHTML";

```

This prevents key usage of variables to access unsafe properties and bypassing the `enforce` rule. This isn't fool proof either however should catch accidental usage of this capability.

Configure eslint like this:

```

  "no-unescaped/no-key-assignment": ["error", ["innerHTML"]]

```

## enforce

```

  el.innerHTML = `${bad}`;

```

This prevents assigning variables from user input into known capabilities that are dangerous to assign to.

Configure eslint like this:

```

  "no-unescaped/enforce": ["error",

    {

      html: {

        taggedTemplates: ["escaped"],

        methods: ["escapeHTML"]

      },

    },

    {

      properties: {

        innerHTML: {

          type: "html"

        },

        outerHTML: {

          type: "html"

        },

      },

      methods: {

        insertAdjacentHTML: {

          type: "html",

          properties: [1]

        },

        writeln: {

          type: "html",

          properties: [0]

        },

        write: {

          type: "html",

          properties: [0]

        },

        createContextualFragment: {

          type: "html",

          properties: [0]

        }

      }

    }

  ]

```

The above is the default setup for the rule, the second and third argument can be ignored for the default setup.

This permits the use of tagged template strings where the function permitted is used to regulate unsafe strings and escape them.

```

  el.innerHTML = escaped`${bad}`;

```

### TODO

Currently the following is considered an error, investigate if this can safely be permitted as it is a common use-case to solve template string reuse.

```

function escapeMe(var) {

  return `Hey check this ${var}!`;

}

el.innerHTML = escapeMe(someVar);

```