Rule proposal: .replace
or .replaceAll
with non-literal replacement
#2309
Labels
.replace
or .replaceAll
with non-literal replacement
#2309
Description
One might think that a function like this generates safe HTML because the argument is HTML-escaped.
But in fact there’s a very obscure cross-site scripting vulnerability here, abusing the
$`
replacement sequence interpreted byString.prototype.replace
and.replaceAll
!To protect against this mistake, it would be nice to have an ESLint rule that forbids use of
.replace
and.replaceAll
where the second argument isn’t a string literal or a function.Fail
Pass
Additional Info
No response
The text was updated successfully, but these errors were encountered: