@lipemat/eslint-config 5.0.0-beta.4 → 5.0.0

package/helpers/config.js

@@ -21,11 +21,11 @@ import { getExtensionsConfig } from '@lipemat/js-boilerplate/helpers/config.js';
  */
 export function getConfig(configs) {
     const BASE = {
-        configs: configs
+        configs,
     };
     const mergedConfig = {
         ...BASE,
-        ...getExtensionsConfig('eslint.config', BASE)
+        ...getExtensionsConfig('eslint.config', BASE),
     };
     return mergedConfig.configs;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lipemat/eslint-config",
-  "version": "5.0.0-beta.4",
+  "version": "5.0.0",
   "license": "MIT",
   "description": "Eslint configuration for all @lipemat packages",
   "engines": {

package/plugins/security/helpers/dom-purify.js

@@ -0,0 +1,18 @@
+import { AST_NODE_TYPES } from '@typescript-eslint/utils';
+/**
+ * Check if a node is a call to a known sanitization function.
+ * - Currently recognizes `sanitize(...)` and `DOMPurify.sanitize(...)`.
+ */
+export function isSanitized(node) {
+    if (AST_NODE_TYPES.CallExpression !== node.type) {
+        return false;
+    }
+    if (AST_NODE_TYPES.Identifier === node.callee.type && 'sanitize' === node.callee.name) {
+        return true;
+    }
+    if (AST_NODE_TYPES.MemberExpression === node.callee.type && AST_NODE_TYPES.Identifier === node.callee.object.type) {
+        return 'dompurify' === node.callee.object.name.toLowerCase() &&
+            AST_NODE_TYPES.Identifier === node.callee.property.type && 'sanitize' === node.callee.property.name;
+    }
+    return false;
+}

package/plugins/security/helpers/element.js

@@ -0,0 +1,18 @@
+import { getType } from './ts-types.js';
+/**
+ * Is the type of variable being passed a DOM element?
+ *
+ * - DOM elements are of the type `HTML{*}Element`.
+ * - DOM elements do not require sanitization.
+ *
+ * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
+ */
+export function isDomElementType(expression, context) {
+    const type = getType(expression, context);
+    const name = type.getSymbol()?.escapedName ?? '';
+    // Match any type that ends with "Element", e.g., HTMLElement, HTMLDivElement, Element, etc.
+    if ('Element' === name) {
+        return true;
+    }
+    return name.startsWith('HTML') && name.endsWith('Element');
+}

package/plugins/security/helpers/string.js

@@ -0,0 +1,39 @@
+import { AST_NODE_TYPES } from '@typescript-eslint/utils';
+import { getType } from './ts-types.js';
+/**
+ * Is the node of type string.
+ * - String literals.
+ * - constants of type string.
+ * - template literals.
+ * - intrinsic type string.
+ */
+export function isStringLike(node, context) {
+    const type = getType(node, context);
+    const literal = type.isStringLiteral();
+    const intrinsic = 'intrinsicName' in type && 'string' === type.intrinsicName;
+    return (AST_NODE_TYPES.Literal === node.type && 'string' === typeof node.value) || (AST_NODE_TYPES.TemplateLiteral === node.type) || literal || intrinsic;
+}
+/**
+ * Check if a node is a literal string
+ */
+export function isLiteralString(node) {
+    return AST_NODE_TYPES.Literal === node.type && 'string' === typeof node.value;
+}
+/**
+ * Check if a node is a literal string that is safe to use in an HTML context.
+ * - Must be a literal string. Or a conditional expression where both branches are safe literal strings.
+ * - Must not contain `<script`.
+ * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
+ */
+export function isSafeLiteralString(node) {
+    if (AST_NODE_TYPES.ConditionalExpression === node.type) {
+        return isSafeLiteralString(node.consequent) && isSafeLiteralString(node.alternate);
+    }
+    if (!isLiteralString(node)) {
+        return false;
+    }
+    if (node.value.includes('<script')) {
+        return false;
+    }
+    return !/^\s*(?:javascript|data|vbscript|about|livescript)\s*:/i.test(decodeURIComponent(node.value.replace(/[\u0000-\u001F\u007F]+/g, '')));
+}

package/plugins/security/helpers/ts-types.js

@@ -0,0 +1,9 @@
+import { ESLintUtils } from '@typescript-eslint/utils';
+/**
+ * Get the TypeScript type of node.
+ */
+export function getType(expression, context) {
+    const { getTypeAtLocation } = ESLintUtils.getParserServices(context);
+    const type = getTypeAtLocation(expression);
+    return type.getNonNullableType();
+}

package/plugins/security/rules/dangerously-set-inner-html.js

@@ -1,5 +1,5 @@
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
-import { isSanitized } from '../utils/shared.js';
+import { isSanitized } from '../helpers/dom-purify.js';
 function isDangerouslySetInnerHTML(node) {
     return ('JSXAttribute' === node.type &&
         'dangerouslySetInnerHTML' === node.name.name);

package/plugins/security/rules/html-executing-assignment.js

@@ -1,5 +1,7 @@
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
-import { isDomElementType, isSafeLiteralString, isSanitized } from '../utils/shared.js';
+import { isSafeLiteralString } from '../helpers/string.js';
+import { isSanitized } from '../helpers/dom-purify.js';
+import { isDomElementType } from '../helpers/element.js';
 const UNSAFE_PROPERTIES = [
     'innerHTML',
     'outerHTML',

package/plugins/security/rules/html-executing-function.js

@@ -1,6 +1,8 @@
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
-import { isDomElementType, isSafeLiteralString, isSanitized } from '../utils/shared.js';
 import { isJQueryCall } from './jquery-executing.js';
+import { isSafeLiteralString } from '../helpers/string.js';
+import { isSanitized } from '../helpers/dom-purify.js';
+import { isDomElementType } from '../helpers/element.js';
 const DOCUMENT_METHODS = [
     'document.write',
     'document.writeln',

package/plugins/security/rules/html-sinks.js

@@ -1,5 +1,6 @@
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
-import { isLiteralString, isSanitized, isStringLike } from '../utils/shared.js';
+import { isLiteralString, isStringLike } from '../helpers/string.js';
+import { isSanitized } from '../helpers/dom-purify.js';
 /**
  * Get the callee name from a call expression
  */

package/plugins/security/rules/jquery-executing.js

@@ -1,5 +1,6 @@
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
-import { getType, isSanitized } from '../utils/shared.js';
+import { isSanitized } from '../helpers/dom-purify.js';
+import { getType } from '../helpers/ts-types.js';
 /**
  * @link https://docs.wpvip.com/security/javascript-security-recommendations/#h-stripping-tags
  */

package/plugins/security/rules/window-escaping.js

@@ -1,5 +1,6 @@
 import { AST_NODE_TYPES } from '@typescript-eslint/utils';
-import { isLiteralString, isSanitized } from '../utils/shared.js';
+import { isLiteralString } from '../helpers/string.js';
+import { isSanitized } from '../helpers/dom-purify.js';
 // Window and location properties that need special handling
 const LOCATION_PROPS = new Set(['href', 'src', 'action',
     'protocol', 'host', 'hostname', 'pathname', 'search', 'hash', 'username', 'port', 'name', 'status',

package/types/plugins/security/helpers/dom-purify.d.ts

@@ -0,0 +1,6 @@
+import { type TSESTree } from '@typescript-eslint/utils';
+/**
+ * Check if a node is a call to a known sanitization function.
+ * - Currently recognizes `sanitize(...)` and `DOMPurify.sanitize(...)`.
+ */
+export declare function isSanitized(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;

package/types/plugins/security/helpers/element.d.ts

@@ -0,0 +1,10 @@
+import type { TSESLint, TSESTree } from '@typescript-eslint/utils';
+/**
+ * Is the type of variable being passed a DOM element?
+ *
+ * - DOM elements are of the type `HTML{*}Element`.
+ * - DOM elements do not require sanitization.
+ *
+ * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
+ */
+export declare function isDomElementType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): boolean;

package/types/plugins/security/helpers/string.d.ts

@@ -0,0 +1,20 @@
+import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
+/**
+ * Is the node of type string.
+ * - String literals.
+ * - constants of type string.
+ * - template literals.
+ * - intrinsic type string.
+ */
+export declare function isStringLike(node: TSESTree.CallExpressionArgument, context: Readonly<TSESLint.RuleContext<string, readonly []>>): boolean;
+/**
+ * Check if a node is a literal string
+ */
+export declare function isLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): node is TSESTree.StringLiteral;
+/**
+ * Check if a node is a literal string that is safe to use in an HTML context.
+ * - Must be a literal string. Or a conditional expression where both branches are safe literal strings.
+ * - Must not contain `<script`.
+ * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
+ */
+export declare function isSafeLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;

package/types/plugins/security/helpers/ts-types.d.ts

@@ -0,0 +1,6 @@
+import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
+import type { Type } from 'typescript';
+/**
+ * Get the TypeScript type of node.
+ */
+export declare function getType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): Type;

package/plugins/security/utils/shared.js

@@ -1,78 +0,0 @@
-import { AST_NODE_TYPES, ESLintUtils } from '@typescript-eslint/utils';
-import {} from 'typescript';
-/**
- * Is the node of type string.
- * - String literals.
- * - constants of type string.
- * - template literals.
- * - intrinsic type string.
- */
-export function isStringLike(node, context) {
-    const type = getType(node, context);
-    const literal = type.isStringLiteral();
-    const intrinsic = 'intrinsicName' in type && 'string' === type.intrinsicName;
-    return (AST_NODE_TYPES.Literal === node.type && 'string' === typeof node.value) || (AST_NODE_TYPES.TemplateLiteral === node.type) || literal || intrinsic;
-}
-/**
- * Get the TypeScript type of node.
- */
-export function getType(expression, context) {
-    const { getTypeAtLocation } = ESLintUtils.getParserServices(context);
-    const type = getTypeAtLocation(expression);
-    return type.getNonNullableType();
-}
-/**
- * Is the type of variable being passed a DOM element?
- *
- * - DOM elements are of the type `HTML{*}Element`.
- * - DOM elements do not require sanitization.
- *
- * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
- */
-export function isDomElementType(expression, context) {
-    const type = getType(expression, context);
-    const name = type.getSymbol()?.escapedName ?? '';
-    // Match any type that ends with "Element", e.g., HTMLElement, HTMLDivElement, Element, etc.
-    if ('Element' === name) {
-        return true;
-    }
-    return name.startsWith('HTML') && name.endsWith('Element');
-}
-/**
- * Check if a node is a call to a known sanitization function.
- * - Currently recognizes `sanitize(...)` and `DOMPurify.sanitize(...)`.
- */
-export function isSanitized(node) {
-    if (AST_NODE_TYPES.CallExpression !== node.type) {
-        return false;
-    }
-    if (AST_NODE_TYPES.Identifier === node.callee.type && 'sanitize' === node.callee.name) {
-        return true;
-    }
-    if (AST_NODE_TYPES.MemberExpression === node.callee.type && AST_NODE_TYPES.Identifier === node.callee.object.type) {
-        return 'dompurify' === node.callee.object.name.toLowerCase() &&
-            AST_NODE_TYPES.Identifier === node.callee.property.type && 'sanitize' === node.callee.property.name;
-    }
-    return false;
-}
-/**
- * Check if a node is a literal string
- */
-export function isLiteralString(node) {
-    return AST_NODE_TYPES.Literal === node.type && 'string' === typeof node.value;
-}
-/**
- * Check if a node is a literal string that is safe to use in an HTML context.
- * - Must be a literal string.
- * - Must not contain `<script`.
- * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
- */
-export function isSafeLiteralString(node) {
-    if (!isLiteralString(node)) {
-        return false;
-    }
-    if (node.value.includes('<script')) {
-        return false;
-    }
-    return !/^\s*(?:javascript|data|vbscript|about|livescript)\s*:/i.test(decodeURIComponent(node.value.replace(/[\u0000-\u001F\u007F]+/g, '')));
-}

package/types/plugins/security/utils/shared.d.ts

@@ -1,39 +0,0 @@
-import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
-import { type Type } from 'typescript';
-/**
- * Is the node of type string.
- * - String literals.
- * - constants of type string.
- * - template literals.
- * - intrinsic type string.
- */
-export declare function isStringLike(node: TSESTree.CallExpressionArgument, context: Readonly<TSESLint.RuleContext<string, readonly []>>): boolean;
-/**
- * Get the TypeScript type of node.
- */
-export declare function getType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): Type;
-/**
- * Is the type of variable being passed a DOM element?
- *
- * - DOM elements are of the type `HTML{*}Element`.
- * - DOM elements do not require sanitization.
- *
- * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
- */
-export declare function isDomElementType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): boolean;
-/**
- * Check if a node is a call to a known sanitization function.
- * - Currently recognizes `sanitize(...)` and `DOMPurify.sanitize(...)`.
- */
-export declare function isSanitized(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;
-/**
- * Check if a node is a literal string
- */
-export declare function isLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): node is TSESTree.StringLiteral;
-/**
- * Check if a node is a literal string that is safe to use in an HTML context.
- * - Must be a literal string.
- * - Must not contain `<script`.
- * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
- */
-export declare function isSafeLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;