search

kitajs / ts-html-plugin

🏛️ The Typescript LSP plugin to catch XSS vulnerabilities.
https://github.com/kitajs/html
MIT License
10 stars 2 forks source link

Strange TS warnings/errors #12

Closed adicco closed 11 months ago

adicco commented 1 year ago

I am encountering the following warning/error with the tsserver LSP:

image

error is string | undefined by the way, not an object. I would expect the exact opposite behaviour: no xss-prone warning on the "error" variable, but one on the p tag if it didn't have a safe attribute.

Any thoughts? Thank you!

adicco commented 1 year ago

A similar one which is also quite odd:

image

While in the EditableListItem component:

image

arthurfiorette commented 12 months ago

error is string | undefined by the way, not an object.

If error may be a string, you should cast its value into a boolean first, !!error ?? ....

A similar one which is also quite odd:

The XSS detection tries at it best to determine the expression type. This <>{(async () => {})()}</> syntax is pretty odd and you should not write code like that, please hoist this to the top of your function. (Tech expl: an async function casts the return type to Promise\, which changes the JSX.Element type to only Promise\ and the plugin cannot detect it, special cases like map calls were done because of its common usage, however I do not have time to implement this specific syntax.)

While in the EditableListItem component:

The EditableListItem component itself is xss safe, however the previous example cannot detect that is what will be returned inside the IIFE.

adicco commented 11 months ago

Thanks @arthurfiorette, I will try these various pointers. And good to know re: the type being cast to a string instead of the JSX.Element