1.0.16 • Published 7 years ago

eslint-plugin-no-unsafe-innerhtml v1.0.16

Weekly downloads
12,933
License
MPL-2.0
Repository
github
Last release
7 years ago

Build Status

Disallow unsafe HTML templating (no-unsafe-innerhtml)

This function disallows unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of the Firefox OS front-end codebase Gaia. Further documentation, which includes references to the escaping functions can be found on MDN.

eslinteslint-plugineslintpluginlintsecurity
eslint
@infinitebrahmanuniverse/nolb-eslint-plugin-n@everything-registry/sub-chunk-1613gulp-powerbi-package-validatorpowerbi-visuals-package-validatoreslint-config-secure
1.0.16

7 years ago

1.0.15

8 years ago

1.0.14

9 years ago

0.1.13

9 years ago

0.1.12

9 years ago

0.1.11

9 years ago

0.1.10

9 years ago

0.1.9

9 years ago

0.1.8

9 years ago

0.1.7

9 years ago

0.1.6

9 years ago

0.1.5

9 years ago

0.1.4

9 years ago

0.1.3

9 years ago

0.1.2

9 years ago

0.1.1

9 years ago

0.1.0

9 years ago