Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mozilla/eslint-plugin-no-unsanitized

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
https://github.com/mozilla/eslint-plugin-no-unsanitized

eslint-plugin security

Last synced: about 1 month ago
JSON representation

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike

Host: GitHub
URL: https://github.com/mozilla/eslint-plugin-no-unsanitized
Owner: mozilla
License: mpl-2.0
Created: 2015-05-13T09:12:59.000Z (over 9 years ago)
Default Branch: main
Last Pushed: 2024-10-01T07:33:14.000Z (about 1 month ago)
Last Synced: 2024-10-06T04:27:04.274Z (about 1 month ago)
Topics: eslint-plugin, security
Language: JavaScript
Homepage:
Size: 532 KB
Stars: 228
Watchers: 9
Forks: 37
Open Issues: 30
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

awesome-frontend-security - `eslint-plugin-no-unsanitized` - ESLint rules to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike. (Code / Linters)
awesome-eslint - no-unsanitized - Checks for `innerHTML`, `outerHTML`, etc. (Plugins / Security)

README

        [![Build Status](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized.svg?branch=master)](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized)

# Disallow unsanitized code (no-unsanitized)

These rules disallow unsafe coding practices that may result into security

vulnerabilities. We will disallow assignments (e.g., to innerHTML) as well as

calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping

function. The escaping functions must be called with a template string.

The function names are hardcoded as `Sanitizer.escapeHTML` and `escapeHTML`.

The plugin also supports the

[Sanitizer API](https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API)

and calls to `.setHTML()` are also allowed by default.

This plugin is built for and used within Mozilla to maintain and improve the security

of our products and services.

# Rule Details

## method

The _method_ rule disallows certain function calls.

E.g., `document.write()` or `insertAdjacentHTML()`.

See [docs/rules/method.md](docs/rules/method.md) for more.

## property

The _property_ rule disallows certain assignment expressions, e.g., to `innerHTML`.

See [docs/rules/property.md](docs/rules/property.md) for more.

## Examples

Here are a few examples of code that we do not want to allow:

```js

foo.innerHTML = input.value;

bar.innerHTML = "About";

```

A few examples of allowed practices:

```js

foo.innerHTML = 5;

bar.innerHTML = "About";

bar.innerHTML = escapeHTML`About`;

```

# Install

With **yarn** or **npm**:

```bash

$ yarn add -D eslint-plugin-no-unsanitized

$ npm install --save-dev eslint-plugin-no-unsanitized

```

## Usage

### Flat config

```js

import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [nounsanitized.configs.recommended];

```

or

```js

import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [

    {

        files: ["**/*.js"],

        plugins: { nounsanitized },

        rules: {

            "no-unsanitized/method": "error",

            "no-unsanitized/property": "error",

        },

    },

];

```

### eslintrc

In your `.eslintrc.json` file enable this rule with the following:

```json

{

    "extends": ["plugin:no-unsanitized/recommended-legacy"]

}

```

Or:

```json

{

    "plugins": ["no-unsanitized"],

    "rules": {

        "no-unsanitized/method": "error",

        "no-unsanitized/property": "error"

    }

}

```

# Documentation

See [docs/](docs/).