eslint-plugin-no-unsanitized

4.1.2last stable release 4 months ago
Complexity Score
Low
Open Issues
N/A
Dependent Projects
240
Weekly Downloadsglobal
293,657

License

  • MPL-2.0
    • Yesattribution
    • Permissivelinking
    • Copyleftdistribution
    • Copyleftmodification
    • Yespatent grant
    • Yesprivate use
    • Copyleftsublicensing
    • Notrademark grant

Downloads

Readme

Disallow unsanitized code (no-unsanitized)

These rules disallow unsafe coding practices that may result into security vulnerabilities. We will disallow assignments (e.g., to innerHTML) as well as calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML. The plugin also supports the Sanitizer API and calls to .setHTML() are also allowed by default.

This plugin is built for and used within Mozilla to maintain and improve the security of our products and services.

Rule Details

method

The method rule disallows certain function calls. E.g., document.write() or insertAdjacentHTML(). See docs/rules/method.md for more.

property

The property rule disallows certain assignment expressions, e.g., to innerHTML.

See docs/rules/property.md for more.

Examples

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='" + url + "'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

Install

With yarn or npm:

$ yarn add -D eslint-plugin-no-unsanitized
$ npm install --save-dev eslint-plugin-no-unsanitized

Usage

Flat config

import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [nounsanitized.configs.recommended];

or

import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [
    {
        files: ["**/*.js"],
        plugins: { nounsanitized },
        rules: {
            "no-unsanitized/method": "error",
            "no-unsanitized/property": "error",
        },
    },
];

eslintrc

In your .eslintrc.json file enable this rule with the following:

{
    "extends": ["plugin:no-unsanitized/recommended-legacy"]
}

Or:

{
    "plugins": ["no-unsanitized"],
    "rules": {
        "no-unsanitized/method": "error",
        "no-unsanitized/property": "error"
    }
}

Documentation

See docs/.

Dependencies

No runtime dependency information found for this package.

CVE IssuesActive
0
Scorecards Score
5.30
Test Coverage
No Data
Follows Semver
Yes
Github Stars
231
Dependenciestotal
12
DependenciesOutdated
5
DependenciesDeprecated
0
Threat Modelling
No Data
Repo Audits
No Data

Learn how to distribute eslint-plugin-no-unsanitized in your own private NPM registry

npm config set registry  https://npm.cloudsmith.com/owner/repo
Processing...
Done
npm install eslint-plugin-no-unsanitized
Processing...
Done

20 Releases

NPM on Cloudsmith

Getting started with NPM on Cloudsmith is fast and easy.