Make a new rule "innerText" property when append script tag?

[realdennis]

var script = document.createElement('script');
script.innerText = attack_var;
document.body.append(script);

I thought innerText could be harmful in this case when attack_var is unsanitized .

[mozfreddyb]

Yes, it's true that innerText is harmful when used with script elements. Our linter does not know anything about types, so there is no way to figure out if the innerText assignment is harmless (the common case) or not.

What we've done for document.write() is that we created a regular expression for the former part matching stuff like document, contentDocument, etc.

What we /could/ do is create an innerText rule that disallows assignments when the left part matches script. But it's still error prone.

[mozfreddyb]

This should be relatively simple. If there's enough interest, I'm happy to guide someone along the way.

[Lawful2002]

Hello @mozfreddyb, I would like to work on this issue. Could you please guide me on how to proceed?

[mozfreddyb]

Sorry, I'll need to de-prioritize this. If anyone wants to fix this for themselves, here's a suggestion: Use a custom configuration that adds a check on property where the assigned-to property is innerText and it will complain for all innerText assignments or add a key to the underlying object called matches which allows regex matching on the object variable on which the .innerText property is assigned (e.g., "script"). See https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/master/docs/rules/customization.md for more.