Open Abdullilah opened 2 years ago
We allow custom sanitizers through configurations. See this testcase to check that users can allow DOMPurify: https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/d50ae4d0dd886d04139bec63fc4490a18f61a4d9/tests/rules/property.js#L154-L164 (Added in #108).
Does that not work for you?
@mozfreddyb Thanks for your comment.
Could you please tell me how to add it exactly to the configuration?
I tried to add this line to the eslint rules:
"extends": ["plugin:no-unsanitized/DOM"],
"rules": {"no-unsanitized/method": ["error", { "escape": { "methods": ["DomSanitizer.sanitize"] } }]}
OR
"extends": ["plugin:no-unsanitized/DOM"],
"rules": {"no-unsanitized/method": ["error", { "escape": { "methods": ["DOMPurify.sanitize"] } }]}
but I am still getting the same eslint error:
In your example, you're modifying the options of the no-unsanitized/method
, which protects you from calling methods (e.g., insertAdjacentHTML()
, document.write()
, ..).
You also need to do this for the no-unsanitized/property
rule which protects properties (e.g., .innerHTML
)
@Abdullilah Did you end up resolving your issue? I'm leaning towards closing this issue.
This works but only when done this way
"rules": {
"no-unsanitized/method": ["error", { "escape": { "methods": ["this.domSanitizer.sanitize"] } }],
"no-unsanitized/property": ["error", { "escape": { "methods": ["this.domSanitizer.sanitize"] } }],
}
Looks like everything works as intended here. We can repurpose the issue, if someone wants to update the documentation though.
It would be good if this plugin excluded the code which is sanitised by the sanitize function from the DomSanitizer.
Example:
this.hostElement.innerHTML = content;
this is unsanitized content which makes sense for the plugin to complain about it, but when we sanitise the content:
this.hostElement.innerHTML = <string>this.domSanitizer.sanitize(SecurityContext.HTML, content);
I am still getting Eslint unsafe assignment even though the content I am adding is fully sanitised.
Could you please have a look and add this improvement to the plugin?