search

mozilla / eslint-plugin-no-unsanitized

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
Mozilla Public License 2.0
223 stars 34 forks source link

we have hardcoded sanitizers, that likely nobody uses. We should move them to defaultRulesCheck empty object instead #107

Closed mozfreddyb closed 4 years ago

mozfreddyb commented 4 years ago

See https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/e3efa339e8a0aa1e4702af42db85008a20d8ea2c/lib/ruleHelper.js#L9-10

// names of escaping functions that we acknowledge
const VALID_ESCAPERS = ["Sanitizer.escapeHTML", "escapeHTML"];
const VALID_UNWRAPPERS = ["Sanitizer.unwrapSafeHTML", "unwrapSafeHTML"];

when instead we should remove it here and put it into the default configuration.

People can then override it and have better control of what they actually want to allow This would not be a breaking change.

I've also noticed that we dont have tests for custom escapers (which is probably a super common use case :scream: )

mozfreddyb commented 4 years ago

I've also noticed that we dont have tests for custom escapers (which is probably a super common use case scream )

Issue #108