From 5bb5e7741d0103b2b14a10cb8129ffe8156e5aae Mon Sep 17 00:00:00 2001 From: Jonas Jenwald Date: Sun, 23 Jun 2019 13:37:51 +0200 Subject: [PATCH] Enable the `eslint-plugin-no-unsanitized` ESLint plugin to disallow unsafe usage of e.g. `innerHTML` See https://github.com/mozilla/eslint-plugin-no-unsanitized Since we've generally never allowed e.g. `innerHTML`, which is enforced during review, there's only one linting failure with this patch. (Which is white-listed, according to the existing comment and the fact that it's test-only code.) --- .eslintrc | 3 +++ src/core/operator_list.js | 1 + test/driver.js | 1 + 3 files changed, 5 insertions(+) diff --git a/.eslintrc b/.eslintrc index d5be84ab0..56161a346 100644 --- a/.eslintrc +++ b/.eslintrc @@ -7,6 +7,7 @@ "plugins": [ "import", "mozilla", + "no-unsanitized", "unicorn", ], @@ -28,6 +29,8 @@ "import/no-unresolved": "error", "mozilla/avoid-removeChild": "error", "mozilla/use-includes-instead-of-indexOf": "error", + "no-unsanitized/method": "error", + "no-unsanitized/property": "error", "unicorn/no-array-instanceof": "error", // Possible errors diff --git a/src/core/operator_list.js b/src/core/operator_list.js index bdb3ba84f..ad50c2fd2 100644 --- a/src/core/operator_list.js +++ b/src/core/operator_list.js @@ -12,6 +12,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +/* eslint-disable no-unsanitized/method */ import { assert, ImageKind, OPS } from '../shared/util'; diff --git a/test/driver.js b/test/driver.js index 464f01e15..745f71167 100644 --- a/test/driver.js +++ b/test/driver.js @@ -627,6 +627,7 @@ var Driver = (function DriverClosure() { // eslint-disable-line no-unused-vars // Using insertAdjacentHTML yields a large performance gain and // reduces runtime significantly. if (this.output.insertAdjacentHTML) { + // eslint-disable-next-line no-unsanitized/method this.output.insertAdjacentHTML('BeforeEnd', message); } else { this.output.textContent += message;