search

pugjs / pug-lint

An unopinionated and configurable linter and style checker for Pug
ISC License
228 stars 51 forks source link

disallowHtmlText failing on bracket in inline JS block #128

Open gvn opened 7 years ago

gvn commented 7 years ago

The following pug code causes the disallowHtmlText rule to fail. 

script.
  (function () {
    var _dntStatus = navigator.doNotTrack || navigator.msDoNotTrack;
    var fxMatch = navigator.userAgent.match(/Firefox\/(\d+)/);
    var ie10Match = navigator.userAgent.match(/MSIE 10/i);
    var w8Match = navigator.appVersion.match(/Windows NT 6.2/);

    if (fxMatch && Number(fxMatch[1]) < 32) {
      _dntStatus = 'Unspecified';
    } else if (ie10Match && w8Match) {
      _dntStatus = 'Unspecified';
    } else {
      _dntStatus = { '0': 'Disabled', '1': 'Enabled' }[_dntStatus] || 'Unspecified';
    }

    if (_dntStatus !== 'Enabled'){
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

      ga('create', 'UA-87658599-6', 'auto');
      ga('send', 'pageview');
    }
  })();
source/pug/templates/master.pug:89:3
    87|     var w8Match = navigator.appVersion.match(/Windows NT 6.2/);
    88|
  > 89|     if (fxMatch && Number(fxMatch[1]) < 32) {
----------^
    90|       _dntStatus = 'Unspecified';
    91|     } else if (ie10Match && w8Match) {
    92|       _dntStatus = 'Unspecified';

HTML text must not be used

I believe this is because of the < character being mistaken for HTML.

Delagen commented 7 years ago

+1 Cannot escape even using

|!='value < 10'