search

mozilla / eslint-plugin-no-unsanitized

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
Mozilla Public License 2.0
222 stars 33 forks source link

Unsupported Callee of type TemplateLiteral for CallExpression #193

Closed serv-inc closed 2 years ago

serv-inc commented 2 years ago 
/** @fileinfo clicks safe search button as a fallback */
const script = document.createElement("script");
script.textContent = ```document.querySelector('a[href*="safeui=on"')?.click();```;
(document.head || document.documentElement).appendChild(script);
script.remove();

See https://github.com/serv-inc/safe-search/blob/master/addon/google_safe_fallback.js

mozfreddyb commented 2 years ago

Thanks for filing this. The line in question is undoubtly the third, which I have a really, really hard time parsing in my head :) What is the intention of this code here? It reads to me as if you just want the string document.querySelector('a[href*="safeui=on"')?.click(); assigned to textContent. But that's not what this line is doing!

With those three backticks, you'd end up with a Tagged Template String, which is a way to call a function. And in this case, the function would be the return value of the first double-backtick (e.g., the empty string). That can't be right.

I think you meant to write this souce code...

script.textContent = `document.querySelector('a[href*="safeui=on"')?.click();`;
mozfreddyb commented 2 years ago

@serv-inc?

serv-inc commented 2 years ago

@mozfreddyb : great, thanks a lot

mozfreddyb commented 2 years ago

Thank you for putting your trust in our eslint plugin :)

serv-inc commented 2 years ago

Thanks for the plugin, and for pointing out the problem :-D