npm - @lipemat/eslint-config - Versions diffs - 5.0.0-beta.3 → 5.0.0-beta.5 - Mend

@lipemat/eslint-config 5.0.0-beta.3 → 5.0.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/index.js CHANGED Viewed

@@ -7,10 +7,6 @@ import globals from 'globals';
 import stylisticTs from '@stylistic/eslint-plugin-ts';
 import { getConfig } from './helpers/config.js';
 const flatCompat = new FlatCompat();
-/**
- * Default config if no extensions override it.
- *
- */
 const BASE_CONFIG = {
     languageOptions: {
         ecmaVersion: 7,
@@ -115,16 +111,20 @@ const TS_CONFIG = {
 /**
  * Merge in any extensions' config.
  */
-let mergedConfig = [BASE_CONFIG, TS_CONFIG];
+const defaultConfig = [
+    BASE_CONFIG,
+    TS_CONFIG,
+    securityPlugin.configs.recommended,
+];
+let mergedConfig = [];
 try {
-    mergedConfig = getConfig(mergedConfig);
+    mergedConfig = getConfig(defaultConfig);
 }
 catch (e) {
+    // JS Boilerplate is likely not installed.
     console.debug(e);
-    // JS Boilerplate is not installed.
 }
 export default [
-    ...securityPlugin.configs.recommended,
     ...fixupConfigRules(flatCompat.extends('plugin:@wordpress/eslint-plugin/recommended-with-formatting')),
     ...fixupConfigRules(flatCompat.extends('plugin:deprecation/recommended')),
     ...mergedConfig,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lipemat/eslint-config",
-  "version": "5.0.0-beta.3",
+  "version": "5.0.0-beta.5",
   "license": "MIT",
   "description": "Eslint configuration for all @lipemat packages",
   "engines": {

package/plugins/security/index.js CHANGED Viewed

@@ -25,27 +25,25 @@ const plugin = {
         'window-escaping': windowEscaping,
     },
     configs: {
-        recommended: [],
+        recommended: {},
     },
 };
 // Freeze the plugin to prevent modifications and use the plugin within.
 plugin.configs = Object.freeze({
-    recommended: [
-        {
-            plugins: {
-                '@lipemat/security': plugin,
-            },
-            rules: {
-                '@lipemat/security/dangerously-set-inner-html': 'error',
-                '@lipemat/security/html-executing-assignment': 'error',
-                '@lipemat/security/html-executing-function': 'error',
-                '@lipemat/security/html-sinks': 'error',
-                '@lipemat/security/html-string-concat': 'error',
-                '@lipemat/security/jquery-executing': 'error',
-                '@lipemat/security/vulnerable-tag-stripping': 'error',
-                '@lipemat/security/window-escaping': 'error',
-            },
+    recommended: {
+        plugins: {
+            '@lipemat/security': plugin,
         },
-    ],
+        rules: {
+            '@lipemat/security/dangerously-set-inner-html': 'error',
+            '@lipemat/security/html-executing-assignment': 'error',
+            '@lipemat/security/html-executing-function': 'error',
+            '@lipemat/security/html-sinks': 'error',
+            '@lipemat/security/html-string-concat': 'error',
+            '@lipemat/security/jquery-executing': 'error',
+            '@lipemat/security/vulnerable-tag-stripping': 'error',
+            '@lipemat/security/window-escaping': 'error',
+        },
+    },
 });
 export default plugin;

package/plugins/security/rules/dangerously-set-inner-html.js CHANGED Viewed

@@ -29,12 +29,15 @@ const plugin = {
     defaultOptions: [],
     meta: {
         type: 'problem',
-        fixable: 'code',
+        hasSuggestions: true,
         docs: {
             description: 'Disallow using unsanitized values in dangerouslySetInnerHTML',
         },
         messages: {
             dangerousInnerHtml: 'Any HTML passed to `dangerouslySetInnerHTML` gets executed. Please make sure it\'s properly escaped.',
+            // Suggestions
+            domPurify: 'Wrap the content with a `DOMPurify.sanitize()` call.',
+            sanitize: 'Wrap the content with a `sanitize()` call.',
         },
         schema: [],
     },
@@ -51,9 +54,20 @@ const plugin = {
                 context.report({
                     node,
                     messageId: 'dangerousInnerHtml',
-                    fix: (fixer) => {
-                        return fixer.replaceText(node, `dangerouslySetInnerHTML={{__html: DOMPurify.sanitize( ${context.sourceCode.getText(htmlValue)} )}}`);
-                    },
+                    suggest: [
+                        {
+                            messageId: 'domPurify',
+                            fix: (fixer) => {
+                                return fixer.replaceText(node, `dangerouslySetInnerHTML={{__html: DOMPurify.sanitize( ${context.sourceCode.getText(htmlValue)} )}}`);
+                            },
+                        },
+                        {
+                            messageId: 'sanitize',
+                            fix: (fixer) => {
+                                return fixer.replaceText(node, `dangerouslySetInnerHTML={{__html: sanitize( ${context.sourceCode.getText(htmlValue)} )}}`);
+                            },
+                        },
+                    ],
                 });
             },
         };

package/plugins/security/rules/html-executing-assignment.js CHANGED Viewed

@@ -13,7 +13,6 @@ const plugin = {
         docs: {
             description: 'Disallow using unsanitized values in HTML executing property assignments',
         },
-        fixable: 'code',
         hasSuggestions: true,
         messages: {
             executed: 'Any HTML used with `{{propertyName}}` gets executed. Make sure it\'s properly escaped.',

package/plugins/security/rules/html-executing-function.js CHANGED Viewed

@@ -64,7 +64,6 @@ const plugin = {
         docs: {
             description: 'Disallow using unsanitized values in functions that execute HTML',
         },
-        fixable: 'code',
         hasSuggestions: true,
         messages: {
             'document.write': 'Any HTML used with `document.write` gets executed. Make sure it\'s properly escaped.',

package/plugins/security/rules/jquery-executing.js CHANGED Viewed

@@ -55,7 +55,6 @@ const plugin = {
         docs: {
             description: 'Disallow using unsanitized values in jQuery methods that execute HTML',
         },
-        fixable: 'code',
         hasSuggestions: true,
         messages: {
             needsEscaping: 'Any HTML used with `{{methodName}}` gets executed. Make sure it\'s properly escaped.',

package/plugins/security/rules/vulnerable-tag-stripping.js CHANGED Viewed

@@ -33,7 +33,6 @@ const plugin = {
         docs: {
             description: 'Disallow jQuery .html().text() chaining which can lead to XSS through tag stripping',
         },
-        fixable: 'code',
         hasSuggestions: true,
         messages: {
             vulnerableTagStripping: 'Using .html().text() can lead to XSS vulnerabilities through tag stripping. Use only .text()',

package/plugins/security/utils/shared.js CHANGED Viewed

@@ -63,11 +63,14 @@ export function isLiteralString(node) {
 }
 /**
  * Check if a node is a literal string that is safe to use in an HTML context.
- * - Must be a literal string.
+ * - Must be a literal string. Or a conditional expression where both branches are safe literal strings.
  * - Must not contain `<script`.
  * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
  */
 export function isSafeLiteralString(node) {
+    if (AST_NODE_TYPES.ConditionalExpression === node.type) {
+        return isSafeLiteralString(node.consequent) && isSafeLiteralString(node.alternate);
+    }
     if (!isLiteralString(node)) {
         return false;
     }

package/types/plugins/security/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import type { FlatConfig } from '@typescript-eslint/utils/ts-eslint';
 type Plugin = FlatConfig.Plugin & {
     configs: {
-        recommended: FlatConfig.ConfigArray;
+        recommended: FlatConfig.Config;
     };
 };
 declare const plugin: Plugin;

package/types/plugins/security/rules/dangerously-set-inner-html.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
 import { type TSESLint } from '@typescript-eslint/utils';
-declare const plugin: TSESLint.RuleModule<'dangerousInnerHtml'>;
+type Messages = 'dangerousInnerHtml' | 'sanitize' | 'domPurify';
+declare const plugin: TSESLint.RuleModule<Messages>;
 export default plugin;

package/types/plugins/security/utils/shared.d.ts CHANGED Viewed

@@ -32,7 +32,7 @@ export declare function isSanitized(node: TSESTree.Property['value'] | TSESTree.
 export declare function isLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): node is TSESTree.StringLiteral;
 /**
  * Check if a node is a literal string that is safe to use in an HTML context.
- * - Must be a literal string.
+ * - Must be a literal string. Or a conditional expression where both branches are safe literal strings.
  * - Must not contain `<script`.
  * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
  */