search

mozilla / eslint-plugin-no-unsanitized

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
Mozilla Public License 2.0
222 stars 33 forks source link

Improve documentation for supplying valid escape/sanitize functions #205

Open Abdullilah opened 2 years ago

Abdullilah commented 2 years ago

It would be good if this plugin excluded the code which is sanitised by the sanitize function from the DomSanitizer.

Example: this.hostElement.innerHTML = content;

this is unsanitized content which makes sense for the plugin to complain about it, but when we sanitise the content:

this.hostElement.innerHTML = <string>this.domSanitizer.sanitize(SecurityContext.HTML, content);

I am still getting Eslint unsafe assignment even though the content I am adding is fully sanitised.

Could you please have a look and add this improvement to the plugin?

mozfreddyb commented 2 years ago

We allow custom sanitizers through configurations. See this testcase to check that users can allow DOMPurify: https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/d50ae4d0dd886d04139bec63fc4490a18f61a4d9/tests/rules/property.js#L154-L164 (Added in #108).

Does that not work for you?

Abdullilah commented 2 years ago

@mozfreddyb Thanks for your comment.

Could you please tell me how to add it exactly to the configuration?

I tried to add this line to the eslint rules:

"extends": ["plugin:no-unsanitized/DOM"],
"rules": {"no-unsanitized/method": ["error", { "escape": { "methods": ["DomSanitizer.sanitize"] } }]}

OR

"extends": ["plugin:no-unsanitized/DOM"],
"rules": {"no-unsanitized/method": ["error", { "escape": { "methods": ["DOMPurify.sanitize"] } }]}

but I am still getting the same eslint error:

Screen Shot 2022-06-01 at 12 25 34

mozfreddyb commented 2 years ago

In your example, you're modifying the options of the no-unsanitized/method, which protects you from calling methods (e.g., insertAdjacentHTML(), document.write(), ..).

You also need to do this for the no-unsanitized/property rule which protects properties (e.g., .innerHTML)

mozfreddyb commented 1 year ago

@Abdullilah Did you end up resolving your issue? I'm leaning towards closing this issue.

rszczypka commented 12 months ago

This works but only when done this way


"rules": {
"no-unsanitized/method": ["error", { "escape": { "methods": ["this.domSanitizer.sanitize"] } }],
"no-unsanitized/property": ["error", { "escape": { "methods": ["this.domSanitizer.sanitize"] } }],
}
mozfreddyb commented 7 months ago

Looks like everything works as intended here. We can repurpose the issue, if someone wants to update the documentation though.