Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8dc8e85cf2ea6bd61a2160e2b2c0da6455b4817f
FrenoCorp/node_modules/eslint-plugin-solid/src/rules/no-innerhtml.ts
Michael Freno 7c684a42cc FRE-600: Fix code review blockers 
- Consolidated duplicate UndoManagers to single instance
- Fixed connection promise to only resolve on 'connected' status
- Fixed WebSocketProvider import (WebsocketProvider)
- Added proper doc.destroy() cleanup
- Renamed isPresenceInitialized property to avoid conflict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-25 00:08:01 -04:00

144 lines
4.9 KiB
TypeScript
Raw Blame History

/**
* FIXME: remove this comments and import when below issue is fixed.
* This import is necessary for type generation due to a bug in the TypeScript compiler.
* See: https://github.com/microsoft/TypeScript/issues/42873
*/
// eslint-disable-next-line @typescript-eslint/no-unused-vars
import type { TSESLint } from "@typescript-eslint/utils";
import { ESLintUtils, ASTUtils } from "@typescript-eslint/utils";
import isHtml from "is-html";
import { jsxPropName } from "../utils";
const createRule = ESLintUtils.RuleCreator.withoutDocs;
const { getStringIfConstant } = ASTUtils;
type MessageIds = "dangerous" | "conflict" | "notHtml" | "useInnerText" | "dangerouslySetInnerHTML";
type Options = [{ allowStatic?: boolean }?];
export default createRule<Options, MessageIds>({
meta: {
type: "problem",
docs: {
description:
"Disallow usage of the innerHTML attribute, which can often lead to security vulnerabilities.",
url: "https://github.com/solidjs-community/eslint-plugin-solid/blob/main/docs/no-innerhtml.md",
},
fixable: "code",
hasSuggestions: true,
schema: [
{
type: "object",
properties: {
allowStatic: {
description:
"if the innerHTML value is guaranteed to be a static HTML string (i.e. no user input), allow it",
type: "boolean",
default: true,
},
},
additionalProperties: false,
},
],
messages: {
dangerous:
"The innerHTML attribute is dangerous; passing unsanitized input can lead to security vulnerabilities.",
conflict:
"The innerHTML attribute should not be used on an element with child elements; they will be overwritten.",
notHtml: "The string passed to innerHTML does not appear to be valid HTML.",
useInnerText: "For text content, using innerText is clearer and safer.",
dangerouslySetInnerHTML:
"The dangerouslySetInnerHTML prop is not supported; use innerHTML instead.",
},
},
defaultOptions: [{ allowStatic: true }],
create(context) {
const allowStatic = Boolean(context.options[0]?.allowStatic ?? true);
return {
JSXAttribute(node) {
if (jsxPropName(node) === "dangerouslySetInnerHTML") {
if (
node.value?.type === "JSXExpressionContainer" &&
node.value.expression.type === "ObjectExpression" &&
node.value.expression.properties.length === 1
) {
const htmlProp = node.value.expression.properties[0];
if (
htmlProp.type === "Property" &&
htmlProp.key.type === "Identifier" &&
htmlProp.key.name === "__html"
) {
context.report({
node,
messageId: "dangerouslySetInnerHTML",
fix: (fixer) => {
const propRange = node.range;
const valueRange = htmlProp.value.range;
return [
fixer.replaceTextRange([propRange[0], valueRange[0]], "innerHTML={"),
fixer.replaceTextRange([valueRange[1], propRange[1]], "}"),
];
},
});
} else {
context.report({
node,
messageId: "dangerouslySetInnerHTML",
});
}
} else {
context.report({
node,
messageId: "dangerouslySetInnerHTML",
});
}
return;
} else if (jsxPropName(node) !== "innerHTML") {
return;
}
if (allowStatic) {
const innerHtmlNode =
node.value?.type === "JSXExpressionContainer" ? node.value.expression : node.value;
const innerHtml = innerHtmlNode && getStringIfConstant(innerHtmlNode);
if (typeof innerHtml === "string") {
if (isHtml(innerHtml)) {
// go up to enclosing JSXElement and check if it has children
if (
node.parent?.parent?.type === "JSXElement" &&
node.parent.parent.children?.length
) {
context.report({
node: node.parent.parent, // report error on JSXElement instead of JSXAttribute
messageId: "conflict",
});
}
} else {
context.report({
node,
messageId: "notHtml",
suggest: [
{
fix: (fixer) => fixer.replaceText(node.name, "innerText"),
messageId: "useInnerText",
},
],
});
}
} else {
context.report({
node,
messageId: "dangerous",
});
}
} else {
context.report({
node,
messageId: "dangerous",
});
}
},
};
},
});
Reference in New Issue View Git Blame Copy Permalink