Closed Bug 1196956 Opened 10 years ago Closed 10 years ago

Improve ESLint rules to throw an error on improper usage of Sanitizer

Categories

(Firefox OS Graveyard :: Gaia, defect)

Product:
Firefox OS Graveyard
Component:
Gaia
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tedd, Assigned: freddy)

References

Details

ESLint should throw an error when Sanitizer createSafeHTML or escapeHTML functions are used without properly passing the arguments. (See Bug 1192595) For example: > Sanitizer.createSafeHTML(`<HTML here>`) will interpolate the template before passing it to the sanitizer function. The correct usage would be: > Sanitizer.createSafeHTML`<HTML here>` One way to accomplish this would be to check the |values| array of the function[1]: > createSafeHTML: function (strings, ...values) In the case of the first example, |values| would be emtpy and therefore nothing will be escaped. The proper use of the sanitizer functions is very security sensitive, and can lead to un-escaped HTML content when used in the wrong way. [1] https://github.com/mozilla-b2g/gaia/blob/master/shared/js/sanitizer.js#L62
Assignee: nobody → fbraun
Thanks for the bug report. I could implement this in both the sanitizer as well as the eslint extension. Will look into what makes more sense (Hunch: Doing this in eslint would be a lesser performance penalty, as it's only done during development, not at runtime)
Gaah, to many folks misusing it. Pointing myself to https://github.com/mozilla-b2g/gaia/search?utf8=%E2%9C%93&q=createSafeHTML
Fixed with https://github.com/mozfreddyb/eslint-plugin-no-unsafe-innerhtml/commit/a8f9e0e2b3b7c79e1b1dc0ee9dee24a300176ec3 which is version 0.1.11 Waiting for bug 1203514 to get an updated version into Gaia.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
See Also: → 1203514
You need to log in before you can comment on or make changes to this bug.