Merge pull request #223 from github/no-script-tag-building

We should never allow building `script` tags in our applications since they side-step some security measures.

README.md

@@ -50,6 +50,7 @@ The available configs are:
 - [No Blur](./docs/rules/no-blur.md)
 - [No D None](./docs/rules/no-d-none.md)
 - [No Dataset](./docs/rules/no-dataset.md)
+- [No Dynamic Script Tag](./docs/rules/no-dynamic-script-tag.md)
 - [No Implicit Buggy Globals](./docs/rules/no-implicit-buggy-globals.md)
 - [No Inner HTML](./docs/rules/no-inner-html.md)
 - [No InnerText](./docs/rules/no-innerText.md)

docs/rules/no-dynamic-script-tag.md

@@ -0,0 +1,24 @@
+# No Dynamic Script Tag
+
+## Rule Details
+
+Creating dynamic script tags bypasses a lot of security measures - like SRIs - and pose a potential threat to your application.
+Instead of creating a `script` tag in the client, provide all necessary `script` tags in the page's HTML.
+
+👎 Examples of **incorrect** code for this rule:
+
+```js
+document.createElement('script')
+document.getElementById('some-id').type = 'text/javascript'
+```
+
+👍 Examples of **correct** code for this rule:
+
+```html
+<!-- index.html -->
+<script src="/index.js" type="text/javascript">
+```
+
+## Version
+
+4.3.2

lib/configs/recommended.js

@@ -23,6 +23,7 @@ module.exports = {
     'github/array-foreach': 'error',
     'github/no-implicit-buggy-globals': 'error',
     'github/no-then': 'error',
+    'github/no-dynamic-script-tag': 'error',
     'i18n-text/no-en': ['error'],
     'import/default': 'error',
     'import/export': 'error',

lib/index.js

@@ -12,6 +12,7 @@ module.exports = {
     'no-implicit-buggy-globals': require('./rules/no-implicit-buggy-globals'),
     'no-inner-html': require('./rules/no-inner-html'),
     'no-innerText': require('./rules/no-innerText'),
+    'no-dynamic-script-tag': require('./rules/no-dynamic-script-tag'),
     'no-then': require('./rules/no-then'),
     'no-useless-passive': require('./rules/no-useless-passive'),
     'prefer-observers': require('./rules/prefer-observers'),

lib/rules/no-dynamic-script-tag.js

@@ -0,0 +1,29 @@
+module.exports = {
+  meta: {
+    type: 'suggestion',
+    docs: {
+      description: 'disallow creating dynamic script tags',
+      url: require('../url')(module)
+    },
+    schema: []
+  },
+
+  create(context) {
+    return {
+      'CallExpression[callee.property.name="createElement"][arguments.length > 0]': function (node) {
+        if (node.arguments[0].value !== 'script') return
+
+        context.report({
+          node: node.arguments[0],
+          message: "Don't create dynamic script tags, add them in the server template instead."
+        })
+      },
+      'AssignmentExpression[left.property.name="type"][right.value="text/javascript"]': function (node) {
+        context.report({
+          node: node.right,
+          message: "Don't create dynamic script tags, add them in the server template instead."
+        })
+      }
+    }
+  }
+}

tests/no-dynamic-script-tag.js

@@ -0,0 +1,38 @@
+const rule = require('../lib/rules/no-dynamic-script-tag')
+const RuleTester = require('eslint').RuleTester
+
+const ruleTester = new RuleTester()
+
+ruleTester.run('no-dynamic-script-tag', rule, {
+  valid: [
+    {
+      code: 'document.createElement("div")'
+    },
+    {
+      code: 'document.createElement("span")'
+    },
+    {
+      code: 'document.createElement("span").type = "foo"'
+    }
+  ],
+  invalid: [
+    {
+      code: 'document.createElement("script")',
+      errors: [
+        {
+          message: "Don't create dynamic script tags, add them in the server template instead.",
+          type: 'Literal'
+        }
+      ]
+    },
+    {
+      code: 'document.createElement("span").type = "text/javascript"',
+      errors: [
+        {
+          message: "Don't create dynamic script tags, add them in the server template instead.",
+          type: 'Literal'
+        }
+      ]
+    }
+  ]
+})