Open realdennis opened 5 years ago
Yes, it's true that innerText
is harmful when used with script elements.
Our linter does not know anything about types, so there is no way to figure out if the innerText
assignment is harmless (the common case) or not.
What we've done for document.write()
is that we created a regular expression for the former part matching stuff like document, contentDocument, etc.
What we /could/ do is create an innerText rule that disallows assignments when the left part matches script. But it's still error prone.
This should be relatively simple. If there's enough interest, I'm happy to guide someone along the way.
Hello @mozfreddyb, I would like to work on this issue. Could you please guide me on how to proceed?
Sorry, I'll need to de-prioritize this.
If anyone wants to fix this for themselves, here's a suggestion:
Use a custom configuration that adds a check on property
where the assigned-to property is innerText
and it will complain for all innerText
assignments or add a key to the underlying object called matches
which allows regex matching on the object variable on which the .innerText
property is assigned (e.g., "script"). See https://github.com/mozilla/eslint-plugin-no-unsanitized/blob/master/docs/rules/customization.md for more.
I thought innerText could be harmful in this case when
attack_var
is unsanitized .