1.0.16 • Published 8 years ago

eslint-plugin-no-unsafe-innerhtml v1.0.16

Weekly downloads
12,933
License
MPL-2.0
Repository
github
Last release
8 years ago

Build Status

Disallow unsafe HTML templating (no-unsafe-innerhtml)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.

eslinteslint-plugineslintpluginlintsecurity
eslint
@infinitebrahmanuniverse/nolb-eslint-plugin-n@everything-registry/sub-chunk-1613powerbi-visuals-package-validatorgulp-powerbi-package-validatoreslint-config-secure
1.0.16

8 years ago

1.0.15

9 years ago

1.0.14

10 years ago

0.1.13

10 years ago

0.1.12

10 years ago

0.1.11

10 years ago

0.1.10

10 years ago

0.1.9

10 years ago

0.1.8

10 years ago

0.1.7

10 years ago

0.1.6

10 years ago

0.1.5

10 years ago

0.1.4

10 years ago

0.1.3

10 years ago

0.1.2

10 years ago

0.1.1

10 years ago

0.1.0

10 years ago