Add support for setHTMLUnsafe - fix #232 (#235)

Co-authored-by: Frederik Braun <fb@frederik-braun.com>
mozilla · Jan 29, 2024 · 64cbbae · 64cbbae
1 parent aaff1e1
commit 64cbbae
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/lib/ruleHelper.js b/lib/ruleHelper.js
@@ -51,7 +51,7 @@ RuleHelper.prototype = {
 
 
         switch(expression.type) {
-        case"Literal":
+        case "Literal":
             /*  surely, someone could have an evil literal in there, but that"s malice
             we can just check for unsafe coding practice, not outright malice
             example literal "<script>eval(location.hash.slice(1)</script>"

diff --git a/lib/rules/method.js b/lib/rules/method.js
@@ -44,6 +44,11 @@ const defaultRuleChecks = {
             "document"
         ],
         properties: [0]
+    },
+
+    // check first parameter to `setHTMLUnsafe()`
+    setHTMLUnsafe: {
+        properties: [0]
     }
 };
 

diff --git a/tests/rules/method.js b/tests/rules/method.js
@@ -378,7 +378,12 @@ eslintTester.run("method", rule, {
             // #214: We also allow *harmful* parameters.
             code: "foo.insertAdjacentHTML(wrongParamCount);",
             parserOptions: {ecmaVersion: 2020 },
-        }
+        },
+        {
+
+            // # 232: disallow setHTMLUnsafe, but OK with static string.
+            code: "foo.setHTMLUnsafe('static string')",
+        },
     ],
 
     // Examples of code that should trigger the rule
@@ -973,5 +978,15 @@ eslintTester.run("method", rule, {
                 }
             ],
         },
+        {
+            code: "foo.setHTMLUnsafe(badness)",
+            errors: [
+                {
+                    message: /Unsafe call to foo.setHTMLUnsafe for argument 0/,
+                    type: "CallExpression",
+                },
+            ],
+        },
+
     ]
 });