search

mozilla / eslint-plugin-no-unsanitized

Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
Mozilla Public License 2.0
222 stars 33 forks source link

we should try and get information about arguments supplied as SpreadElement #214

Open mozfreddyb opened 1 year ago

mozfreddyb commented 1 year ago

Before #211 when looking for the second argument (i.e., arguments[1]), we hit index-out-of-bounds if the arguments are supplied as a SpreadElement (insertAdjacentHTML(...args)). With #211 fixed, we'll stop erroring but skip the check.

This issue here is filed to to identify how much we can find out about said SpreadElement and maybe do some checking on it's correct element. This is easy for the built-in rules and if the first and only argument is the SpreadElement. But it gets obviously harder if we look for the Nth element where the supplied arguments are a mix of positioned and Spread. The built-in rules only ever check for position 0 and 1 (e.g., document.write and insertAjdacentHTML) though.

This is a follow-up to #211.

mozfreddyb commented 7 months ago

This requires some help. But I promise this won't be easy. :)