Closed nrutman closed 1 month ago
mozfreddyb
commented
2 months ago The customization / configuration should allow you to switch the current behavior. I believe our documentation in docs/rules/customization.md might not properly reflect that and might be outdated with the upcoming migration to eslint 9, but maybe this test case helps
nrutman
commented
2 months ago Well sure. I can turn the defaults off, but then isn't that essentially the same as not including no-unsanitized/method?
I am wondering if I could redefine the default with a more strict regex. I'm trying something like this for the rule definition:
'no-unsanitized/method': [
'error',
{
escape: {
methods: ['sanitizeHtml', 'useHtmlSanitizer'],
},
},
{
write: {
objectMatches: ['^document$'],
properties: [0],
},
writeln: {
objectMatches: ['^document$'],
properties: [0],
},
},
],
But now I can't get it to error on something like:
document.write('foo');Do you have any thoughts about how I can have it issue a lint error when matching the global document object but not on an object that simply has document in the name?
mozfreddyb
commented
2 months ago Looks like the instructions are a bit unclear, spelunking at the code around findings for the objectMatches stuff, it seems you may have to use \bdocument\b or such.
mozfreddyb
commented
1 month ago @nrutman Did that work for you?
mozfreddyb
commented
1 month ago @nrutman I'm going to close this and will be happy to re-open if this problem persists.
Unfortunately, I can't use the
no-unsanitized/methodrule because I have a custom object namedcontrolListDocumentCachewhich has awritemethod.When including
no-unsanitized/methodI get the following lint error:It seems overly restrictive that this lint rule would prevent any variable name with
documentin the name that implements awrite()method. Could we more strictly reference the global JSdocumentobject so it doesn't flag these custom variables/objects?