Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #223 from github/no-script-tag-building
We should never allow building `script` tags in our applications since they side-step some security measures.
- Loading branch information
Showing
6 changed files
with
94 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# No Dynamic Script Tag | ||
|
||
## Rule Details | ||
|
||
Creating dynamic script tags bypasses a lot of security measures - like SRIs - and pose a potential threat to your application. | ||
Instead of creating a `script` tag in the client, provide all necessary `script` tags in the page's HTML. | ||
|
||
👎 Examples of **incorrect** code for this rule: | ||
|
||
```js | ||
document.createElement('script') | ||
document.getElementById('some-id').type = 'text/javascript' | ||
``` | ||
|
||
👍 Examples of **correct** code for this rule: | ||
|
||
```html | ||
<!-- index.html --> | ||
<script src="/index.js" type="text/javascript"> | ||
``` | ||
## Version | ||
4.3.2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
module.exports = { | ||
meta: { | ||
type: 'suggestion', | ||
docs: { | ||
description: 'disallow creating dynamic script tags', | ||
url: require('../url')(module) | ||
}, | ||
schema: [] | ||
}, | ||
|
||
create(context) { | ||
return { | ||
'CallExpression[callee.property.name="createElement"][arguments.length > 0]': function (node) { | ||
if (node.arguments[0].value !== 'script') return | ||
|
||
context.report({ | ||
node: node.arguments[0], | ||
message: "Don't create dynamic script tags, add them in the server template instead." | ||
}) | ||
}, | ||
'AssignmentExpression[left.property.name="type"][right.value="text/javascript"]': function (node) { | ||
context.report({ | ||
node: node.right, | ||
message: "Don't create dynamic script tags, add them in the server template instead." | ||
}) | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
const rule = require('../lib/rules/no-dynamic-script-tag') | ||
const RuleTester = require('eslint').RuleTester | ||
|
||
const ruleTester = new RuleTester() | ||
|
||
ruleTester.run('no-dynamic-script-tag', rule, { | ||
valid: [ | ||
{ | ||
code: 'document.createElement("div")' | ||
}, | ||
{ | ||
code: 'document.createElement("span")' | ||
}, | ||
{ | ||
code: 'document.createElement("span").type = "foo"' | ||
} | ||
], | ||
invalid: [ | ||
{ | ||
code: 'document.createElement("script")', | ||
errors: [ | ||
{ | ||
message: "Don't create dynamic script tags, add them in the server template instead.", | ||
type: 'Literal' | ||
} | ||
] | ||
}, | ||
{ | ||
code: 'document.createElement("span").type = "text/javascript"', | ||
errors: [ | ||
{ | ||
message: "Don't create dynamic script tags, add them in the server template instead.", | ||
type: 'Literal' | ||
} | ||
] | ||
} | ||
] | ||
}) |