![Build Status](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized)

Disallow unsanitized code (no-unsanitized)

These rules disallow unsafe coding practices that may result into security
vulnerabilities. We will disallow assignments (e.g., to innerHTML) as well as
calls (e.g., to insertAdjacentHTML) without the use of a pre-defined escaping
function. The escaping functions must be called with a template string.
The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.
The plugin also supports the
Sanitizer API
and calls to .setHTML() are also allowed by default.

This plugin is built for and used within Mozilla to maintain and improve the security
of our products and services.

Rule Details

method

The _method_ rule disallows certain function calls.
E.g., document.write() or insertAdjacentHTML().
See docs/rules/method.md for more.

property

The _property_ rule disallows certain assignment expressions, e.g., to innerHTML.

See docs/rules/property.md for more.

Examples

Here are a few examples of code that we do not want to allow:

``js foo.innerHTML = input.value; bar.innerHTML = "About";`

A few examples of allowed practices:

`js foo.innerHTML = 5; bar.innerHTML = "About"; bar.innerHTML = escapeHTMLAbout;`

`Install`

With yarn or npm:

`bash $ yarn add -D eslint-plugin-no-unsanitized $ npm install --save-dev eslint-plugin-no-unsanitized`

`Usage`

`$3`

`js import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [nounsanitized.configs.recommended];`

or

`js import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [ { files: ["*/.js"], plugins: { nounsanitized }, rules: { "nounsanitized/method": "error", "nounsanitized/property": "error", }, }, ];`

`$3`

In your .eslintrc.json file enable this rule with the following:

`json { "extends": ["plugin:no-unsanitized/recommended-legacy"] }`

Or:

`json { "plugins": ["no-unsanitized"], "rules": { "no-unsanitized/method": "error", "no-unsanitized/property": "error" } }``

Documentation

See docs/.

![Build Status](https://travis-ci.org/mozilla/eslint-plugin-no-unsanitized)

Disallow unsanitized code (no-unsanitized)

This plugin is built for and used within Mozilla to maintain and improve the security
of our products and services.

Rule Details

method

The _method_ rule disallows certain function calls.
E.g., document.write() or insertAdjacentHTML().
See docs/rules/method.md for more.

property

The _property_ rule disallows certain assignment expressions, e.g., to innerHTML.

See docs/rules/property.md for more.

Examples

Here are a few examples of code that we do not want to allow:

``js foo.innerHTML = input.value; bar.innerHTML = "About";`

A few examples of allowed practices:

`js foo.innerHTML = 5; bar.innerHTML = "About"; bar.innerHTML = escapeHTMLAbout;`

`Install`

With yarn or npm:

`bash $ yarn add -D eslint-plugin-no-unsanitized $ npm install --save-dev eslint-plugin-no-unsanitized`

`Usage`

`$3`

`js import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [nounsanitized.configs.recommended];`

or

`js import nounsanitized from "eslint-plugin-no-unsanitized";

export default config = [ { files: ["*/.js"], plugins: { nounsanitized }, rules: { "nounsanitized/method": "error", "nounsanitized/property": "error", }, }, ];`

`$3`

In your .eslintrc.json file enable this rule with the following:

`json { "extends": ["plugin:no-unsanitized/recommended-legacy"] }`

Or:

`json { "plugins": ["no-unsanitized"], "rules": { "no-unsanitized/method": "error", "no-unsanitized/property": "error" } }``

Documentation

See docs/.