search

mozilla / eslint-plugin-no-unsanitized

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
Mozilla Public License 2.0
228 stars 37 forks source link

Unsupported Callee for CallExpression (SequenceExpression) #113

Closed brettz9 closed 4 years ago

brettz9 commented 4 years ago

Hi,

In order to examine the safety of dist code, which is often Babelified, one comes across numerous comma-operator expressions such as these which gives an "Unexpected Callee" message in eslint-plugin-no-unsanitized:

  const puncts = (0, _mainUmd.RegExtras)(sentenceEndGrouping).map(txt, punct => {
    return punct;
  });

The error is triggered as the above (0, ...) code is a SequenceExpression which is not a handled callee node type in the plugin's method.js file.

The reason for this approach is well-explained in the answers at https://stackoverflow.com/questions/32275135/why-does-babel-rewrite-imported-function-call-to-0-fn , namely to ensure this is set to a global (allowing Babel to use some namespacing without calling on said namespace).

While unlikely to be generated by Babel (e.g., the bind below which makes it work is not added by Babel), I do expect this would need to be handled as one could technically have this functional code and which could get through:

(0, document.body.insertAdjacentHTML.bind(document.body))('beforebegin', '<b>Boo</b>')
mozfreddyb commented 4 years ago

Thank you for taking your time to write this report!

My pull request #114 ought to fix this, but is pending review for a bit while my previous co-conspirator has left :)

mozfreddyb commented 4 years ago

To clarify, #114 will fix (foo, document.body.insertAdjacentHTML)('beforebegin', harmful)

bind() is a bit more problematic and should likely be moved to a follow-up issue.

(0, document.body.insertAdjacentHTML.bind(document.body))('beforebegin', '<b>Boo</b>')