stable

Clone or download

Read-only

request #14613: Use ESLint to prevent some XSS when working with unsafe DOM APIs

This contribution introduces the rules proposed by eslint-plugin-no-unsanitized [0] to the Tuleap ESLint configuration. The goal is to push developpers to not use unsafe DOM APIs or, if they really need to, to properly sanitize the data they are going to insert into the DOM. Two methods have been whitelisted as acceptable to sanitize data: * render() to allow usage of mustache.js * sanitize() to allow usage of DOMPurify for the cases when we need to work with HTML strings. tuleap.escaper.html() has been voluntarily left out, the usage of mustache.js should be preferred in this situation. [0] https://github.com/mozilla/eslint-plugin-no-unsanitized Change-Id: I3c1ef2c69cbb528a07c0d94c561792764a6ab036

Modified Files

Name
M .eslintrc.js +19 −2 Go to diff View file
M package-lock.json +6 −0 Go to diff View file
M package.json +1 −0 Go to diff View file
M plugins/artifactsfolders/scripts/rollup.js +2 −2 Go to diff View file
M plugins/docman/www/scripts/docman.js +1 −0 Go to diff View file
M plugins/forumml/www/scripts/cc_attach.js +2 −0 Go to diff View file
M plugins/ldap/www/scripts/project-admin/preview-for-select2.js +12 −10 Go to diff View file
M src/www/file/scripts/frs.js +3 −1 Go to diff View file
M src/www/scripts/admin/massmail.js +5 −5 Go to diff View file
M src/www/scripts/clamp.js +2 −2 Go to diff View file
M src/www/scripts/fieldEditor.js +2 −2 Go to diff View file
M src/www/themes/common/tlp/doc/js/main.js +1 −1 Go to diff View file