`no-append-html` should catch `.add(html)`

wikimedia / eslint-plugin-no-jquery

Control allowance of certain jQuery functions, and suggest or autofix alternatives.

MIT License

31 stars 8 forks source link

`no-append-html` should catch `.add(html)` #308

Closed andersk closed 6 months ago

andersk commented 7 months ago

.add interprets strings as HTML in the same way as .append, .prepend, .before, .after, .replaceWith, so no-append-html should scrutinize it in the same way.

const untrusted_input = "<img src=x onerror=alert(1)>";
const $oops = $().add(untrusted_input); // should trigger no-append-html, but doesn’t
$("<body>").append($oops); // XSS