lint: error on innerHTML and family (#16477)

* lint for innerHTML and family Browser apis like innerHTML and document.write are dangerous when used incorrectly, so we should not be using them unless we explicitly opt-out of the linting rule on a case by case basis. * add no-unsanitized to eslint peerDependencies
2025-04-24 01:38:56 -04:00 · 2018-02-04 08:38:37 -05:00 · 2018-02-04 08:38:37 -05:00 · 271a941621
commit 271a941621
parent 43dfbf01dc
6 changed files with 107 additions and 15 deletions
--- a/package.json
+++ b/package.json
@ -237,6 +237,7 @@
    "eslint-plugin-import": "2.8.0",
    "eslint-plugin-jest": "^21.6.2",
    "eslint-plugin-mocha": "4.11.0",
+    "eslint-plugin-no-unsanitized": "^2.0.2",
    "eslint-plugin-prefer-object-spread": "1.2.1",
    "eslint-plugin-react": "7.5.1",
    "event-stream": "3.3.2",
--- a/packages/eslint-config-kibana/.eslintrc.js
+++ b/packages/eslint-config-kibana/.eslintrc.js
@ -8,6 +8,7 @@ module.exports = {
    'babel',
    'react',
    'import',
+    'no-unsanitized',
    'prefer-object-spread',
  ],

@ -69,6 +70,8 @@ module.exports = {
    'no-trailing-spaces': 'error',
    'no-undef': 'error',
    'no-underscore-dangle': 'off',
+    'no-unsanitized/method': 'error',
+    'no-unsanitized/property': 'error',
    'no-unused-expressions': 'off',
    'no-unused-vars': [ 'error' ],
    'no-use-before-define': [ 'error', 'nofunc' ],
--- a/packages/eslint-config-kibana/package.json
+++ b/packages/eslint-config-kibana/package.json
@ -29,6 +29,7 @@
    "eslint-plugin-import": "^2.6.0",
    "eslint-plugin-jest": "^21.0.0",
    "eslint-plugin-mocha": "^4.9.0",
+    "eslint-plugin-no-unsanitized": "^2.0.2",
    "eslint-plugin-prefer-object-spread": "^1.2.1",
    "eslint-plugin-react": "^7.1.0"
  }
--- a/ui_framework/doc_site/src/components/guide_demo/guide_demo.js
+++ b/ui_framework/doc_site/src/components/guide_demo/guide_demo.js
@ -19,17 +19,17 @@ export class GuideDemo extends Component {
    }

    // Inject HTML.
-    this.content.innerHTML = this.props.html;
+    this.content.innerHTML = this.props.html; // eslint-disable-line no-unsanitized/property

    // Inject JS.
    const js = document.createElement('script');
    js.type = 'text/javascript';
-    js.innerHTML = this.props.js;
+    js.innerHTML = this.props.js; // eslint-disable-line no-unsanitized/property
    this.content.appendChild(js);

    // Inject CSS.
    const css = document.createElement('style');
-    css.innerHTML = this.props.css;
+    css.innerHTML = this.props.css; // eslint-disable-line no-unsanitized/property
    this.content.appendChild(css);
  }

--- a/ui_framework/src/test/take_mounted_snapshot.js
+++ b/ui_framework/src/test/take_mounted_snapshot.js
@ -7,6 +7,6 @@
 export const takeMountedSnapshot = mountedComponent => {
  const html = mountedComponent.html();
  const template = document.createElement('template');
-  template.innerHTML = html;
+  template.innerHTML = html; // eslint-disable-line no-unsanitized/property
  return template.content.firstChild;
 };
--- a/yarn.lock
+++ b/yarn.lock
@ -262,11 +262,15 @@ aggregate-error@^1.0.0:
    clean-stack "^1.0.0"
    indent-string "^3.0.0"

+ajv-keywords@^1.0.0:
+  version "1.5.1"
+  resolved "https://registry.yarnpkg.com/ajv-keywords/-/ajv-keywords-1.5.1.tgz#314dd0a4b3368fad3dfcdc54ede6171b886daf3c"
+
 ajv-keywords@^2.0.0, ajv-keywords@^2.1.0:
  version "2.1.1"
  resolved "https://registry.yarnpkg.com/ajv-keywords/-/ajv-keywords-2.1.1.tgz#617997fc5f60576894c435f940d819e135b80762"

-ajv@^4.9.1:
+ajv@^4.7.0, ajv@^4.9.1:
  version "4.11.8"
  resolved "https://registry.yarnpkg.com/ajv/-/ajv-4.11.8.tgz#82ffb02b29e662ae53bdc20af15947706739c536"
  dependencies:
@ -666,7 +670,7 @@ b64@3.x.x:
  version "3.0.3"
  resolved "https://registry.yarnpkg.com/b64/-/b64-3.0.3.tgz#36afeee0d9345f046387ce6de8a6702afe5bb56e"

-babel-code-frame@^6.11.0, babel-code-frame@^6.20.0, babel-code-frame@^6.22.0, babel-code-frame@^6.26.0:
+babel-code-frame@^6.11.0, babel-code-frame@^6.16.0, babel-code-frame@^6.20.0, babel-code-frame@^6.22.0, babel-code-frame@^6.26.0:
  version "6.26.0"
  resolved "https://registry.yarnpkg.com/babel-code-frame/-/babel-code-frame-6.26.0.tgz#63fd43f7dc1e3bb7ce35947db8fe369a3f58c74b"
  dependencies:
@ -2327,7 +2331,7 @@ concat-map@0.0.1:
  version "0.0.1"
  resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"

-concat-stream@1.6.0, concat-stream@^1.4.7, concat-stream@^1.6.0:
+concat-stream@1.6.0, concat-stream@^1.4.7, concat-stream@^1.5.2, concat-stream@^1.6.0:
  version "1.6.0"
  resolved "https://registry.yarnpkg.com/concat-stream/-/concat-stream-1.6.0.tgz#0aac662fd52be78964d5532f694784e70110acf7"
  dependencies:
@ -3710,6 +3714,12 @@ eslint-plugin-mocha@4.11.0:
  dependencies:
    ramda "^0.24.1"

+eslint-plugin-no-unsanitized@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/eslint-plugin-no-unsanitized/-/eslint-plugin-no-unsanitized-2.0.2.tgz#a42a83c9b3d9386101d6fd6915c41759fa7a37f7"
+  dependencies:
+    eslint "^3.19.0"
+
 eslint-plugin-prefer-object-spread@1.2.1:
  version "1.2.1"
  resolved "https://registry.yarnpkg.com/eslint-plugin-prefer-object-spread/-/eslint-plugin-prefer-object-spread-1.2.1.tgz#27fb91853690cceb3ae6101d9c8aecc6a67a402c"
@ -3776,7 +3786,47 @@ eslint@4.14.0:
    table "^4.0.1"
    text-table "~0.2.0"

-espree@^3.5.2:
+eslint@^3.19.0:
+  version "3.19.0"
+  resolved "https://registry.yarnpkg.com/eslint/-/eslint-3.19.0.tgz#c8fc6201c7f40dd08941b87c085767386a679acc"
+  dependencies:
+    babel-code-frame "^6.16.0"
+    chalk "^1.1.3"
+    concat-stream "^1.5.2"
+    debug "^2.1.1"
+    doctrine "^2.0.0"
+    escope "^3.6.0"
+    espree "^3.4.0"
+    esquery "^1.0.0"
+    estraverse "^4.2.0"
+    esutils "^2.0.2"
+    file-entry-cache "^2.0.0"
+    glob "^7.0.3"
+    globals "^9.14.0"
+    ignore "^3.2.0"
+    imurmurhash "^0.1.4"
+    inquirer "^0.12.0"
+    is-my-json-valid "^2.10.0"
+    is-resolvable "^1.0.0"
+    js-yaml "^3.5.1"
+    json-stable-stringify "^1.0.0"
+    levn "^0.3.0"
+    lodash "^4.0.0"
+    mkdirp "^0.5.0"
+    natural-compare "^1.4.0"
+    optionator "^0.8.2"
+    path-is-inside "^1.0.1"
+    pluralize "^1.2.1"
+    progress "^1.1.8"
+    require-uncached "^1.0.2"
+    shelljs "^0.7.5"
+    strip-bom "^3.0.0"
+    strip-json-comments "~2.0.1"
+    table "^3.7.8"
+    text-table "~0.2.0"
+    user-home "^2.0.0"
+
+espree@^3.4.0, espree@^3.5.2:
  version "3.5.2"
  resolved "https://registry.yarnpkg.com/espree/-/espree-3.5.2.tgz#756ada8b979e9dcfcdb30aad8d1a9304a905e1ca"
  dependencies:
@ -4711,7 +4761,7 @@ globals@^11.0.1:
  version "11.1.0"
  resolved "https://registry.yarnpkg.com/globals/-/globals-11.1.0.tgz#632644457f5f0e3ae711807183700ebf2e4633e4"

-globals@^9.18.0:
+globals@^9.14.0, globals@^9.18.0:
  version "9.18.0"
  resolved "https://registry.yarnpkg.com/globals/-/globals-9.18.0.tgz#aa3896b3e69b487f17e31ed2143d69a8e30c2d8a"

@ -5433,7 +5483,7 @@ ieee754@^1.1.4:
  version "1.1.8"
  resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.1.8.tgz#be33d40ac10ef1926701f6f08a2d86fbfd1ad3e4"

-ignore@^3.3.3:
+ignore@^3.2.0, ignore@^3.3.3:
  version "3.3.7"
  resolved "https://registry.yarnpkg.com/ignore/-/ignore-3.3.7.tgz#612289bfb3c220e186a58118618d5be8c1bab021"

@ -5568,6 +5618,24 @@ inquirer@^0.11.1:
    strip-ansi "^3.0.0"
    through "^2.3.6"

+inquirer@^0.12.0:
+  version "0.12.0"
+  resolved "https://registry.yarnpkg.com/inquirer/-/inquirer-0.12.0.tgz#1ef2bfd63504df0bc75785fff8c2c41df12f077e"
+  dependencies:
+    ansi-escapes "^1.1.0"
+    ansi-regex "^2.0.0"
+    chalk "^1.0.0"
+    cli-cursor "^1.0.1"
+    cli-width "^2.0.0"
+    figures "^1.3.5"
+    lodash "^4.3.0"
+    readline2 "^1.0.1"
+    run-async "^0.1.0"
+    rx-lite "^3.1.2"
+    string-width "^1.0.1"
+    strip-ansi "^3.0.0"
+    through "^2.3.6"
+
 inquirer@^1.0.2:
  version "1.2.3"
  resolved "https://registry.yarnpkg.com/inquirer/-/inquirer-1.2.3.tgz#4dec6f32f37ef7bb0b2ed3f1d1a5c3f545074918"
@ -5828,7 +5896,7 @@ is-installed-globally@^0.1.0:
    global-dirs "^0.1.0"
    is-path-inside "^1.0.0"

-is-my-json-valid@^2.12.0:
+is-my-json-valid@^2.10.0, is-my-json-valid@^2.12.0:
  version "2.17.1"
  resolved "https://registry.yarnpkg.com/is-my-json-valid/-/is-my-json-valid-2.17.1.tgz#3da98914a70a22f0a8563ef1511a246c6fc55471"
  dependencies:
@ -6532,7 +6600,7 @@ js-yaml@3.4.1:
    argparse "~1.0.2"
    esprima "~2.2.0"

-js-yaml@3.x, js-yaml@^3.4.3, js-yaml@^3.5.2, js-yaml@^3.7.0, js-yaml@^3.9.1:
+js-yaml@3.x, js-yaml@^3.4.3, js-yaml@^3.5.1, js-yaml@^3.5.2, js-yaml@^3.7.0, js-yaml@^3.9.1:
  version "3.10.0"
  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.10.0.tgz#2e78441646bd4682e963f22b6e92823c309c62dc"
  dependencies:
@ -6647,7 +6715,7 @@ json-stable-stringify-without-jsonify@^1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz#9db7b59496ad3f3cfef30a75142d2d930ad72651"

-json-stable-stringify@^1.0.1:
+json-stable-stringify@^1.0.0, json-stable-stringify@^1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/json-stable-stringify/-/json-stable-stringify-1.0.1.tgz#9a759d39c5f2ff503fd5300646ed445f88c4f9af"
  dependencies:
@ -8791,6 +8859,10 @@ pkginfo@0.4.1:
  version "0.4.1"
  resolved "https://registry.yarnpkg.com/pkginfo/-/pkginfo-0.4.1.tgz#b5418ef0439de5425fc4995042dced14fb2a84ff"

+pluralize@^1.2.1:
+  version "1.2.1"
+  resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-1.2.1.tgz#d1a21483fd22bb41e58a12fa3421823140897c45"
+
 pluralize@^7.0.0:
  version "7.0.0"
  resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-7.0.0.tgz#298b89df8b93b0221dbf421ad2b1b1ea23fc6777"
@ -10017,7 +10089,7 @@ require-main-filename@^1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/require-main-filename/-/require-main-filename-1.0.1.tgz#97f717b69d48784f5f526a6c5aa8ffdda055a4d1"

-require-uncached@^1.0.3:
+require-uncached@^1.0.2, require-uncached@^1.0.3:
  version "1.0.3"
  resolved "https://registry.yarnpkg.com/require-uncached/-/require-uncached-1.0.3.tgz#4e0d56d6c9662fd31e43011c4b95aa49955421d3"
  dependencies:
@ -10423,7 +10495,7 @@ shebang-regex@^1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3"

-shelljs@^0.7.0:
+shelljs@^0.7.0, shelljs@^0.7.5:
  version "0.7.8"
  resolved "https://registry.yarnpkg.com/shelljs/-/shelljs-0.7.8.tgz#decbcf874b0d1e5fb72e14b164a9683048e9acb3"
  dependencies:
@ -10473,6 +10545,10 @@ slash@^1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/slash/-/slash-1.0.0.tgz#c41f2f6c39fc16d1cd17ad4b5d896114ae470d55"

+slice-ansi@0.0.4:
+  version "0.0.4"
+  resolved "https://registry.yarnpkg.com/slice-ansi/-/slice-ansi-0.0.4.tgz#edbf8903f66f7ce2f8eafd6ceed65e264c831b35"
+
 slice-ansi@1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/slice-ansi/-/slice-ansi-1.0.0.tgz#044f1a49d8842ff307aad6b505ed178bd950134d"
@ -11059,6 +11135,17 @@ tabbable@^1.0.3, tabbable@^1.1.0:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-1.1.2.tgz#b171680aea6e0a3e9281ff23532e2e5de11c0d94"

+table@^3.7.8:
+  version "3.8.3"
+  resolved "https://registry.yarnpkg.com/table/-/table-3.8.3.tgz#2bbc542f0fda9861a755d3947fefd8b3f513855f"
+  dependencies:
+    ajv "^4.7.0"
+    ajv-keywords "^1.0.0"
+    chalk "^1.1.1"
+    lodash "^4.0.0"
+    slice-ansi "0.0.4"
+    string-width "^2.0.0"
+
 table@^4.0.1:
  version "4.0.2"
  resolved "https://registry.yarnpkg.com/table/-/table-4.0.2.tgz#a33447375391e766ad34d3486e6e2aedc84d2e36"