From 64cbbae24eb1589cdf390a3e4dd4f1599b72f5cf Mon Sep 17 00:00:00 2001 From: Frederik Braun Date: Mon, 29 Jan 2024 09:41:31 +0100 Subject: [PATCH] Add support for setHTMLUnsafe - fix #232 (#235) Co-authored-by: Frederik Braun --- lib/ruleHelper.js | 2 +- lib/rules/method.js | 5 +++++ tests/rules/method.js | 17 ++++++++++++++++- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/lib/ruleHelper.js b/lib/ruleHelper.js index 8377d5d..a9eef8e 100644 --- a/lib/ruleHelper.js +++ b/lib/ruleHelper.js @@ -51,7 +51,7 @@ RuleHelper.prototype = { switch(expression.type) { - case"Literal": + case "Literal": /* surely, someone could have an evil literal in there, but that"s malice we can just check for unsafe coding practice, not outright malice example literal "" diff --git a/lib/rules/method.js b/lib/rules/method.js index 0f5fdae..e0ba44c 100644 --- a/lib/rules/method.js +++ b/lib/rules/method.js @@ -44,6 +44,11 @@ const defaultRuleChecks = { "document" ], properties: [0] + }, + + // check first parameter to `setHTMLUnsafe()` + setHTMLUnsafe: { + properties: [0] } }; diff --git a/tests/rules/method.js b/tests/rules/method.js index 50123a8..774533f 100644 --- a/tests/rules/method.js +++ b/tests/rules/method.js @@ -378,7 +378,12 @@ eslintTester.run("method", rule, { // #214: We also allow *harmful* parameters. code: "foo.insertAdjacentHTML(wrongParamCount);", parserOptions: {ecmaVersion: 2020 }, - } + }, + { + + // # 232: disallow setHTMLUnsafe, but OK with static string. + code: "foo.setHTMLUnsafe('static string')", + }, ], // Examples of code that should trigger the rule @@ -973,5 +978,15 @@ eslintTester.run("method", rule, { } ], }, + { + code: "foo.setHTMLUnsafe(badness)", + errors: [ + { + message: /Unsafe call to foo.setHTMLUnsafe for argument 0/, + type: "CallExpression", + }, + ], + }, + ] });