Closed brettz9 closed 4 years ago
Thank you for taking your time to write this report!
My pull request #114 ought to fix this, but is pending review for a bit while my previous co-conspirator has left :)
To clarify, #114 will fix (foo, document.body.insertAdjacentHTML)('beforebegin', harmful)
bind()
is a bit more problematic and should likely be moved to a follow-up issue.
(0, document.body.insertAdjacentHTML.bind(document.body))('beforebegin', '<b>Boo</b>')
Hi,
In order to examine the safety of
dist
code, which is often Babelified, one comes across numerous comma-operator expressions such as these which gives an "Unexpected Callee" message ineslint-plugin-no-unsanitized
:The error is triggered as the above
(0, ...)
code is aSequenceExpression
which is not a handled callee node type in the plugin'smethod.js
file.The reason for this approach is well-explained in the answers at https://stackoverflow.com/questions/32275135/why-does-babel-rewrite-imported-function-call-to-0-fn , namely to ensure
this
is set to a global (allowing Babel to use some namespacing without calling on said namespace).While unlikely to be generated by Babel (e.g., the
bind
below which makes it work is not added by Babel), I do expect this would need to be handled as one could technically have this functional code and which could get through: