From ea7475c6915b03d936749d6d1b28279c7171b780 Mon Sep 17 00:00:00 2001 From: Frederik Braun Date: Mon, 7 Oct 2019 16:33:29 +0200 Subject: [PATCH 1/2] add eslint-plugin-no-unsanitized for DOM XSS linting --- package.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/package.json b/package.json index d6cdec830..162b3f358 100644 --- a/package.json +++ b/package.json @@ -51,8 +51,25 @@ "src/test/js/**", "src/webpack/**" ], + "plugins": ["no-unsanitized"], "rules": { "no-negated-condition": "warn", + "no-unsanitized/method": ["error", + { + "escape": { + "methods": [ + "DOMPurify.sanitize" + ] + } + }], + "no-unsanitized/property": ["error", + { + "escape": { + "methods": [ + "DOMPurify.sanitize" + ] + } + }], "no-unused-vars": "warn", "prefer-destructuring": "warn", "unicorn/no-for-loop": "warn", @@ -80,6 +97,7 @@ "devDependencies": { "ava": "^2.4.0", "css-loader": "^3.2.0", + "eslint-plugin-no-unsanitized": "^3.0.2", "lint-staged": "^9.4.2", "vue-loader": "^15.7.1", "vue-style-loader": "^4.1.2", From 8bcfa3ab61b9d81db11c3b4a7781601d47723040 Mon Sep 17 00:00:00 2001 From: Frederik Braun Date: Thu, 10 Oct 2019 13:59:38 +0200 Subject: [PATCH 2/2] Temporarily whitelist existing uses of innerHTML badness. --- src/main/zapHomeFiles/hud/display.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/zapHomeFiles/hud/display.js b/src/main/zapHomeFiles/hud/display.js index f9cd17450..57b34e3ac 100644 --- a/src/main/zapHomeFiles/hud/display.js +++ b/src/main/zapHomeFiles/hud/display.js @@ -1113,6 +1113,8 @@ navigator.serviceWorker.addEventListener('message', event => { channel.port1.addEventListener('message', event => { // Open window and inject the HTML report + // FIXME: remove after #620 + // eslint-disable-next-line no-unsanitized/property window.open('').document.body.innerHTML = event.data.response; });