@lipemat/eslint-config 5.0.1 → 5.1.0-beta.1

package/plugins/security/rules/html-executing-function.ts

@@ -0,0 +1,164 @@
+import {AST_NODE_TYPES, type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+import {isJQueryCall} from './jquery-executing.js';
+import {isSafeLiteralString} from '../helpers/string.js';
+import {isSanitized} from '../helpers/dom-purify.js';
+import {isDomElementType} from '../helpers/element.js';
+
+type HtmlExecutingFunctions = 'document.write' | 'document.writeln';
+
+type UnsafeCalls =
+	'after'
+	| 'append'
+	| 'before'
+	| 'insertAdjacentHTML'
+	| 'prepend'
+	| 'replaceWith'
+	| 'setAttribute';
+
+
+type Messages = HtmlExecutingFunctions | UnsafeCalls | 'sanitize' | 'domPurify';
+type Context = TSESLint.RuleContext<Messages, []>;
+
+
+const DOCUMENT_METHODS: HtmlExecutingFunctions[] = [
+	'document.write',
+	'document.writeln',
+];
+
+const SECOND_ARG_METHODS = new Set<UnsafeCalls>( [
+	'insertAdjacentHTML',
+	'setAttribute',
+] );
+
+const UNSAFE_METHODS = [
+	'after', 'append', 'before', 'insertAdjacentHTML', 'prepend', 'replaceWith', 'setAttribute',
+] as const satisfies readonly UnsafeCalls[];
+
+function isDocumentMethod( methodName: string ): methodName is HtmlExecutingFunctions {
+	return DOCUMENT_METHODS.includes( methodName as HtmlExecutingFunctions );
+}
+
+function isUnsafeMethod( methodName: string ): methodName is UnsafeCalls {
+	return UNSAFE_METHODS.includes( methodName as UnsafeCalls );
+}
+
+function isSecondArgMethod( methodName: string ): methodName is UnsafeCalls {
+	return SECOND_ARG_METHODS.has( methodName as UnsafeCalls );
+}
+
+
+function getDocumentCall( node: TSESTree.CallExpression ): HtmlExecutingFunctions | null {
+	let calleeName = '';
+	if ( AST_NODE_TYPES.Identifier === node.callee.type ) {
+		calleeName = node.callee.name;
+	} else if ( AST_NODE_TYPES.MemberExpression === node.callee.type ) {
+		if ( 'name' in node.callee.object ) {
+			calleeName = node.callee.object.name;
+			if ( 'name' in node.callee.property ) {
+				calleeName += '.' + node.callee.property.name;
+			}
+		} else if ( 'name' in node.callee.property ) {
+			calleeName = node.callee.property.name;
+		}
+	}
+	if ( isDocumentMethod( calleeName ) ) {
+		return calleeName;
+	}
+
+	return null;
+}
+
+
+function getElementMethodCall( node: TSESTree.CallExpression, context: Context ): UnsafeCalls | null {
+	if ( AST_NODE_TYPES.MemberExpression !== node.callee.type || AST_NODE_TYPES.Identifier !== node.callee.property.type ) {
+		return null;
+	}
+	const methodName = node.callee.property.name;
+	if ( ! isDomElementType( node.callee.object, context ) ) {
+		return null; // We only care about DOM element method calls.
+	}
+
+	if ( ! isUnsafeMethod( methodName ) ) {
+		return null;
+	}
+	if ( isJQueryCall( node ) ) {
+		return null; // Handled in jquery-executing rule
+	}
+	return methodName;
+}
+
+
+const plugin: TSESLint.RuleModule<Messages> = {
+	defaultOptions: [],
+	meta: {
+		docs: {
+			description: 'Disallow using unsanitized values in functions that execute HTML',
+		},
+		hasSuggestions: true,
+		messages: {
+			'document.write': 'Any HTML used with `document.write` gets executed. Make sure it\'s properly escaped.',
+			'document.writeln': 'Any HTML used with `document.writeln` gets executed. Make sure it\'s properly escaped.',
+			after: 'Any HTML used with `after` gets executed. Make sure it\'s properly escaped.',
+			append: 'Any HTML used with `append` gets executed. Make sure it\'s properly escaped.',
+			before: 'Any HTML used with `before` gets executed. Make sure it\'s properly escaped.',
+			insertAdjacentHTML: 'Any HTML used with `insertAdjacentHTML` gets executed. Make sure it\'s properly escaped.',
+			prepend: 'Any HTML used with `prepend` gets executed. Make sure it\'s properly escaped.',
+			replaceWith: 'Any HTML used with `replaceWith` gets executed. Make sure it\'s properly escaped.',
+			setAttribute: 'Any HTML used with `setAttribute` can lead to XSS. Make sure it\'s properly escaped.',
+
+			// Suggestions
+			domPurify: 'Wrap the argument with a `DOMPurify.sanitize()` call.',
+			sanitize: 'Wrap the argument with a `sanitize()` call.',
+		},
+		schema: [],
+		type: 'problem',
+
+	},
+	create( context: Context ): TSESLint.RuleListener {
+		return {
+			CallExpression( node: TSESTree.CallExpression ) {
+				let method: HtmlExecutingFunctions | UnsafeCalls | null;
+				const documentMethod = getDocumentCall( node );
+
+				if ( null !== documentMethod ) {
+					method = documentMethod;
+				} else {
+					method = getElementMethodCall( node, context );
+					if ( null === method ) {
+						return;
+					}
+				}
+
+				let arg: TSESTree.CallExpressionArgument = node.arguments[ 0 ];
+				if ( isSecondArgMethod( method ) ) {
+					arg = node.arguments[ 1 ];
+				}
+
+				if ( ! isSafeLiteralString( arg ) && ! isSanitized( arg ) && ! isDomElementType<Context>( arg, context ) ) {
+					context.report( {
+						node,
+						messageId: method,
+						suggest: [
+							{
+								messageId: 'domPurify',
+								fix: ( fixer: TSESLint.RuleFixer ) => {
+									const argText = context.sourceCode.getText( arg );
+									return fixer.replaceText( arg, `DOMPurify.sanitize( ${argText} )` );
+								},
+							},
+							{
+								messageId: 'sanitize',
+								fix: ( fixer: TSESLint.RuleFixer ) => {
+									const argText = context.sourceCode.getText( arg );
+									return fixer.replaceText( arg, `sanitize( ${argText} )` );
+								},
+							},
+						],
+					} );
+				}
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/security/rules/html-sinks.js

@@ -121,3 +121,4 @@ const plugin = {
     },
 };
 export default plugin;
+//# sourceMappingURL=html-sinks.js.map

package/plugins/security/rules/html-sinks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-sinks.js","sourceRoot":"","sources":["html-sinks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAA+B,MAAM,0BAA0B,CAAC;AACtF,OAAO,EAAC,eAAe,EAAE,YAAY,EAAC,MAAM,sBAAsB,CAAC;AACnE,OAAO,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAYrD;;GAEG;AACH,SAAS,aAAa,CAAE,IAA6B;IACpD,IAAK,cAAc,CAAC,UAAU,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI,EAAG,CAAC;QACtD,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IACzB,CAAC;SAAM,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI,EAAG,CAAC;QACnE,IAAK,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAG,CAAC;YACtE,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClE,CAAC;aAAM,IAAK,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAG,CAAC;YAC7C,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAClC,CAAC;IACF,CAAC;IACD,OAAO,EAAE,CAAC;AACX,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAE,IAAmC;IAChE,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,EAAG,CAAC;QAC1D,OAAO,KAAK,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC;IAC7B,IAAK,cAAc,CAAC,gBAAgB,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAE,CAAE,MAAM,IAAI,UAAU,CAAC,QAAQ,CAAE,EAAG,CAAC;QACzG,OAAO,KAAK,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC;IACvC,IAAK,CAAE,CAAE,MAAM,IAAI,YAAY,CAAC,MAAM,CAAE,IAAI,CAAE,CAAE,MAAM,IAAI,YAAY,CAAC,QAAQ,CAAE,EAAG,CAAC;QACpF,OAAO,KAAK,CAAC;IACd,CAAC;IAED,OAAO,CACN,MAAM,KAAK,YAAY,CAAC,MAAM,CAAC,IAAI;QACnC,OAAO,KAAK,YAAY,CAAC,QAAQ,CAAC,IAAI;QACtC,SAAS,KAAK,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtC,CAAC;AACH,CAAC;AAED,MAAM,MAAM,GAAkC;IAC7C,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACL,WAAW,EAAE,0IAA0I;SACvJ;QACD,QAAQ,EAAE;YACT,gBAAgB,EAAE,kEAAkE;YACpF,iBAAiB,EAAE,mEAAmE;YACtF,qBAAqB,EAAE,yDAAyD;YAChF,kBAAkB,EAAE,0FAA0F;YAC9G,QAAQ,EAAE,yBAAyB;YACnC,SAAS,EAAE,mCAAmC;SAC9C;QACD,MAAM,EAAE,EAAE;QACV,cAAc,EAAE,IAAI;KACpB;IAED,MAAM,CAAE,OAAgB;QACvB,OAAO;YACN,cAAc,CAAE,IAA6B;gBAC5C,MAAM,UAAU,GAAG,aAAa,CAAE,IAAI,CAAE,CAAC;gBAEzC,wEAAwE;gBACxE,IAAK,YAAY,KAAK,UAAU,IAAI,aAAa,KAAK,UAAU,EAAG,CAAC;oBACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAE,CAAC,CAAE,CAAC;oBACrC,IAAK,YAAY,CAAE,QAAQ,EAAE,OAAO,CAAE,EAAG,CAAC;wBACzC,OAAO,CAAC,MAAM,CAAE;4BACf,IAAI;4BACJ,SAAS,EAAE,YAAY,KAAK,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,mBAAmB;yBACjF,CAAE,CAAC;oBACL,CAAC;oBACD,OAAO;gBACR,CAAC;gBAED,+DAA+D;gBAC/D,IAAK,aAAa,KAAK,UAAU,EAAG,CAAC;oBACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAE,CAAC,CAAE,CAAC;oBACrC,IAAK,CAAE,WAAW,CAAE,QAAQ,CAAE,EAAG,CAAC;wBACjC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;wBACtC,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAE,QAAQ,CAAE,CAAC;wBAE/C,OAAO,CAAC,MAAM,CAAE;4BACf,IAAI;4BACJ,SAAS,EAAE,uBAAuB;4BAClC,OAAO,EAAE;gCACR;oCACC,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,WAAW,CAAE,QAAQ,EAAE,uBAAuB,OAAO,IAAI,CAAE;iCAC/E;gCACD;oCACC,SAAS,EAAE,UAAU;oCACrB,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,WAAW,CAAE,QAAQ,EAAE,aAAa,OAAO,IAAI,CAAE;iCACrE;6BACD;yBACD,CAAE,CAAC;oBACL,CAAC;gBACF,CAAC;YACF,CAAC;YAED,oBAAoB,CAAE,IAAmC;gBACxD,wCAAwC;gBACxC,IAAK,mBAAmB,CAAE,IAAI,CAAE,EAAG,CAAC;oBACnC,kEAAkE;oBAClE,IAAK,CAAE,eAAe,CAAE,IAAI,CAAC,KAAK,CAAE,IAAI,CAAE,WAAW,CAAE,IAAI,CAAC,KAAK,CAAE,EAAG,CAAC;wBACtE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;wBACtC,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAE,IAAI,CAAC,KAAK,CAAE,CAAC;wBAEnD,OAAO,CAAC,MAAM,CAAE;4BACf,IAAI;4BACJ,SAAS,EAAE,oBAAoB;4BAC/B,OAAO,EAAE;gCACR;oCACC,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,WAAW,CAAE,IAAI,CAAC,KAAK,EAAE,uBAAuB,SAAS,IAAI,CAAE;iCACnF;gCACD;oCACC,SAAS,EAAE,UAAU;oCACrB,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,WAAW,CAAE,IAAI,CAAC,KAAK,EAAE,aAAa,SAAS,IAAI,CAAE;iCACzE;6BACD;yBACD,CAAE,CAAC;oBACL,CAAC;gBACF,CAAC;YACF,CAAC;SACD,CAAC;IACH,CAAC;CACD,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/plugins/security/rules/html-sinks.ts

@@ -0,0 +1,146 @@
+import {AST_NODE_TYPES, type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+import {isLiteralString, isStringLike} from '../helpers/string.js';
+import {isSanitized} from '../helpers/dom-purify.js';
+
+type Messages =
+	'setTimeoutString'
+	| 'setIntervalString'
+	| 'windowOpenUnsanitized'
+	| 'cssTextUnsanitized'
+	| 'sanitize'
+	| 'domPurify';
+
+type Context = TSESLint.RuleContext<Messages, []>;
+
+/**
+ * Get the callee name from a call expression
+ */
+function getCalleeName( node: TSESTree.CallExpression ): string {
+	if ( AST_NODE_TYPES.Identifier === node.callee.type ) {
+		return node.callee.name;
+	} else if ( AST_NODE_TYPES.MemberExpression === node.callee.type ) {
+		if ( 'name' in node.callee.object && 'name' in node.callee.property ) {
+			return `${node.callee.object.name}.${node.callee.property.name}`;
+		} else if ( 'name' in node.callee.property ) {
+			return node.callee.property.name;
+		}
+	}
+	return '';
+}
+
+/**
+ * Check if the assignment is to body.style.cssText
+ */
+function isCssTextAssignment( node: TSESTree.AssignmentExpression ): boolean {
+	if ( AST_NODE_TYPES.MemberExpression !== node.left.type ) {
+		return false;
+	}
+
+	const memberExpr = node.left;
+	if ( AST_NODE_TYPES.MemberExpression !== memberExpr.object.type || ! ( 'name' in memberExpr.property ) ) {
+		return false;
+	}
+
+	const parentMember = memberExpr.object;
+	if ( ! ( 'name' in parentMember.object ) || ! ( 'name' in parentMember.property ) ) {
+		return false;
+	}
+
+	return (
+		'body' === parentMember.object.name &&
+		'style' === parentMember.property.name &&
+		'cssText' === memberExpr.property.name
+	);
+}
+
+const plugin: TSESLint.RuleModule<Messages> = {
+	defaultOptions: [],
+	meta: {
+		type: 'problem',
+		docs: {
+			description: 'Detect security issues with HTML sinks: setTimeout/setInterval with strings, unsanitized window.open, and unsanitized body.style.cssText',
+		},
+		messages: {
+			setTimeoutString: 'setTimeout should not receive a string. Pass a function instead.',
+			setIntervalString: 'setInterval should not receive a string. Pass a function instead.',
+			windowOpenUnsanitized: 'window.open should be sanitized to prevent XSS attacks.',
+			cssTextUnsanitized: 'body.style.cssText should be sanitized when not a literal string to prevent XSS attacks.',
+			sanitize: 'Wrap with sanitize(...)',
+			domPurify: 'Wrap with DOMPurify.sanitize(...)',
+		},
+		schema: [],
+		hasSuggestions: true,
+	},
+
+	create( context: Context ): TSESLint.RuleListener {
+		return {
+			CallExpression( node: TSESTree.CallExpression ) {
+				const calleeName = getCalleeName( node );
+
+				// Handle setTimeout and setInterval with string arguments (not allowed)
+				if ( 'setTimeout' === calleeName || 'setInterval' === calleeName ) {
+					const firstArg = node.arguments[ 0 ];
+					if ( isStringLike( firstArg, context ) ) {
+						context.report( {
+							node,
+							messageId: 'setTimeout' === calleeName ? 'setTimeoutString' : 'setIntervalString',
+						} );
+					}
+					return;
+				}
+
+				// Handle window.open with string arguments (must be sanitized)
+				if ( 'window.open' === calleeName ) {
+					const firstArg = node.arguments[ 0 ];
+					if ( ! isSanitized( firstArg ) ) {
+						const sourceCode = context.sourceCode;
+						const argText = sourceCode.getText( firstArg );
+
+						context.report( {
+							node,
+							messageId: 'windowOpenUnsanitized',
+							suggest: [
+								{
+									messageId: 'domPurify',
+									fix: fixer => fixer.replaceText( firstArg, `DOMPurify.sanitize( ${argText} )` ),
+								},
+								{
+									messageId: 'sanitize',
+									fix: fixer => fixer.replaceText( firstArg, `sanitize( ${argText} )` ),
+								},
+							],
+						} );
+					}
+				}
+			},
+
+			AssignmentExpression( node: TSESTree.AssignmentExpression ) {
+				// Handle body.style.cssText assignments
+				if ( isCssTextAssignment( node ) ) {
+					// Allow literal strings but require sanitization for other values
+					if ( ! isLiteralString( node.right ) && ! isSanitized( node.right ) ) {
+						const sourceCode = context.sourceCode;
+						const rightText = sourceCode.getText( node.right );
+
+						context.report( {
+							node,
+							messageId: 'cssTextUnsanitized',
+							suggest: [
+								{
+									messageId: 'domPurify',
+									fix: fixer => fixer.replaceText( node.right, `DOMPurify.sanitize( ${rightText} )` ),
+								},
+								{
+									messageId: 'sanitize',
+									fix: fixer => fixer.replaceText( node.right, `sanitize( ${rightText} )` ),
+								},
+							],
+						} );
+					}
+				}
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/security/rules/html-string-concat.js

@@ -61,3 +61,4 @@ const plugin = {
     },
 };
 export default plugin;
+//# sourceMappingURL=html-string-concat.js.map

package/plugins/security/rules/html-string-concat.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-string-concat.js","sourceRoot":"","sources":["html-string-concat.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAA+B,MAAM,0BAA0B,CAAC;AAItF,SAAS,cAAc,CAAE,IAAqC;IAC7D,6CAA6C;IAC7C,OAAO,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,IAAI,GAAG,KAAK,IAAI,CAAC,QAAQ,IAAI,kBAAkB,CAAE,IAAI,CAAE,CAAC;AAC7G,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAE,IAAsD;IACzF,IAAK,cAAc,CAAC,OAAO,KAAK,IAAI,CAAC,IAAI,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,KAAK,EAAG,CAAC;QAC9E,OAAO,MAAM,CAAC,IAAI,CAAE,IAAI,CAAC,KAAK,CAAE,CAAC;IAClC,CAAC;IACD,IAAK,cAAc,CAAC,eAAe,KAAK,IAAI,CAAC,IAAI,EAAG,CAAC;QACpD,+DAA+D;QAC/D,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAE,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAE,CAAC,CAAC,KAAK,CAAC,MAAM,CAAE,CAAE,CAAC;IAC/D,CAAC;IACD,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,IAAI,GAAG,KAAK,IAAI,CAAC,QAAQ,EAAG,CAAC;QAC9E,OAAO,kBAAkB,CAAE,IAAI,CAAC,IAAI,CAAE,IAAI,kBAAkB,CAAE,IAAI,CAAC,KAAK,CAAE,CAAC;IAC5E,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAGD,MAAM,MAAM,GAA4C;IACvD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACL,WAAW,EAAE,sDAAsD;SACnE;QACD,QAAQ,EAAE;YACT,gBAAgB,EAAE,0HAA0H;SAC5I;QACD,MAAM,EAAE,EAAE;KACV;IACD,MAAM,CAAE,OAAgB;QACvB,OAAO;YACN,oBAAoB,CAAE,IAAmC;gBACxD,MAAM,KAAK,GAAwB,IAAI,CAAC,KAAK,CAAC;gBAC9C,IAAK,cAAc,CAAE,KAAK,CAAE,EAAG,CAAC;oBAC/B,OAAO,CAAC,MAAM,CAAE;wBACf,IAAI;wBACJ,SAAS,EAAE,kBAAkB;qBAC7B,CAAE,CAAC;gBACL,CAAC;YACF,CAAC;YAED,kBAAkB,CAAE,IAAiC;gBACpD,2DAA2D;gBAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;gBACvB,IAAK,IAAI,KAAK,IAAI,EAAG,CAAC;oBACrB,OAAO;gBACR,CAAC;gBACD,IAAK,cAAc,CAAE,IAAI,CAAE,EAAG,CAAC;oBAC9B,OAAO,CAAC,MAAM,CAAE;wBACf,IAAI;wBACJ,SAAS,EAAE,kBAAkB;qBAC7B,CAAE,CAAC;gBACL,CAAC;YACF,CAAC;SACD,CAAC;IACH,CAAC;CACD,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/plugins/security/rules/html-string-concat.ts

@@ -0,0 +1,71 @@
+import {AST_NODE_TYPES, type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+
+type Context = TSESLint.RuleContext<'htmlStringConcat', []>;
+
+function isStringConcat( node: TSESTree.CallExpressionArgument ): boolean {
+	// 'foo' + userInput + 'bar' (HTML-like only)
+	return AST_NODE_TYPES.BinaryExpression === node.type && '+' === node.operator && hasHtmlLikeStrings( node );
+}
+
+/**
+ * Check if an expression contains any HTML-like strings.
+ * - Looks for `<` or `>` characters in string literals and template literals.
+ * - Recursively checks binary expressions with the ` + ` operator.
+ */
+export function hasHtmlLikeStrings( node: TSESTree.Expression | TSESTree.PrivateIdentifier ): boolean {
+	if ( AST_NODE_TYPES.Literal === node.type && 'string' === typeof node.value ) {
+		return /[<>]/.test( node.value );
+	}
+	if ( AST_NODE_TYPES.TemplateLiteral === node.type ) {
+		// Check any static part of the template for HTML-like content.
+		return node.quasis.some( q => /[<>]/.test( q.value.cooked ) );
+	}
+	if ( AST_NODE_TYPES.BinaryExpression === node.type && '+' === node.operator ) {
+		return hasHtmlLikeStrings( node.left ) || hasHtmlLikeStrings( node.right );
+	}
+	return false;
+}
+
+
+const plugin: TSESLint.RuleModule<'htmlStringConcat'> = {
+	defaultOptions: [],
+	meta: {
+		type: 'problem',
+		docs: {
+			description: 'Disallow string concatenation with HTML-like content',
+		},
+		messages: {
+			htmlStringConcat: 'HTML string concatenation detected, this is a security risk, use DOM node construction or a templating language instead.',
+		},
+		schema: [],
+	},
+	create( context: Context ): TSESLint.RuleListener {
+		return {
+			AssignmentExpression( node: TSESTree.AssignmentExpression ) {
+				const right: TSESTree.Expression = node.right;
+				if ( isStringConcat( right ) ) {
+					context.report( {
+						node,
+						messageId: 'htmlStringConcat',
+					} );
+				}
+			},
+
+			VariableDeclarator( node: TSESTree.VariableDeclarator ) {
+				// Detect string concatenation assigned at declaration time
+				const init = node.init;
+				if ( null === init ) {
+					return;
+				}
+				if ( isStringConcat( init ) ) {
+					context.report( {
+						node,
+						messageId: 'htmlStringConcat',
+					} );
+				}
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/security/rules/jquery-executing.js

@@ -103,3 +103,4 @@ const plugin = {
     },
 };
 export default plugin;
+//# sourceMappingURL=jquery-executing.js.map

package/plugins/security/rules/jquery-executing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jquery-executing.js","sourceRoot":"","sources":["jquery-executing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAA+B,MAAM,0BAA0B,CAAC;AAEtF,OAAO,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAC,OAAO,EAAC,MAAM,wBAAwB,CAAC;AAmB/C;;GAEG;AACH,MAAM,cAAc,GAAkB;IACrC,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM;IAC/C,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW;IACrD,YAAY,EAAE,aAAa;CAC3B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAE,GAAoC,EAAE,OAAgB;IAC1F,MAAM,OAAO,GAAS,OAAO,CAAW,GAAG,EAAE,OAAO,CAAE,CAAC;IACvD,OAAO,QAAQ,KAAK,OAAO,CAAC,SAAS,EAAE,EAAE,WAAW,CAAC;AACtD,CAAC;AAGD,SAAS,cAAc,CAAE,UAAkB;IAC1C,OAAO,cAAc,CAAC,QAAQ,CAAE,UAAyB,CAAE,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,YAAY,CAAE,IAA6B;IAC1D,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,CAAE,CAAE,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAE,EAAG,CAAC;QACpG,OAAO,KAAK,CAAC;IACd,CAAC;IACD,4CAA4C;IAC5C,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC;IACrC,IAAK,IAAI,KAAK,GAAG,EAAG,CAAC;QACpB,OAAO,KAAK,CAAC;IACd,CAAC;IACD,OAAQ,cAAc,CAAC,gBAAgB,KAAK,GAAG,CAAC,IAAI,EAAG,CAAC;QACvD,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IAClB,CAAC;IACD,OAAO,CAAE,cAAc,CAAC,cAAc,KAAK,GAAG,CAAC,IAAI,IAAI,cAAc,CAAC,UAAU,KAAK,GAAG,CAAC,MAAM,CAAC,IAAI;QACnG,CAAE,GAAG,KAAK,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,QAAQ,KAAK,GAAG,CAAC,MAAM,CAAC,IAAI,CAAE,CAC3D,CAAC;AACH,CAAC;AAGD,MAAM,UAAU,aAAa,CAAE,IAA6B;IAC3D,6DAA6D;IAC7D,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,CAAE,CAAE,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAE,EAAG,CAAC;QACpG,OAAO,IAAI,CAAC;IACb,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC7C,IAAK,CAAE,cAAc,CAAE,UAAU,CAAE,EAAG,CAAC;QACtC,OAAO,IAAI,CAAC;IACb,CAAC;IACD,OAAO,YAAY,CAAE,IAAI,CAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AACjD,CAAC;AAED,MAAM,MAAM,GAAkC;IAC7C,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACL,IAAI,EAAE;YACL,WAAW,EAAE,uEAAuE;SACpF;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACT,aAAa,EAAE,sFAAsF;YAErG,cAAc;YACd,SAAS,EAAE,uDAAuD;YAClE,QAAQ,EAAE,6CAA6C;SACvD;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KACf;IACD,MAAM,CAAE,OAAgB;QACvB,OAAO;YACN,cAAc,CAAE,IAA6B;gBAC5C,MAAM,UAAU,GAAG,aAAa,CAAE,IAAI,CAAE,CAAC;gBACzC,IAAK,IAAI,KAAK,UAAU,EAAG,CAAC;oBAC3B,MAAM,GAAG,GAAoC,IAAI,CAAC,SAAS,CAAE,CAAC,CAAE,CAAC;oBACjE,IAAK,CAAE,WAAW,CAAE,GAAG,CAAE,IAAI,CAAE,mBAAmB,CAAE,GAAG,EAAE,OAAO,CAAE,EAAG,CAAC;wBACrE,OAAO,CAAC,MAAM,CAAE;4BACf,IAAI;4BACJ,SAAS,EAAE,eAAe;4BAC1B,IAAI,EAAE;gCACL,UAAU;6BACV;4BACD,OAAO,EAAE;gCACR;oCACC,SAAS,EAAE,WAAW;oCACtB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;wCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,GAAG,CAAE,CAAC;wCAClD,OAAO,KAAK,CAAC,WAAW,CAAE,GAAG,EAAE,uBAAuB,OAAO,IAAI,CAAE,CAAC;oCACrE,CAAC;iCACD;gCACD;oCACC,SAAS,EAAE,UAAU;oCACrB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;wCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,GAAG,CAAE,CAAC;wCAClD,OAAO,KAAK,CAAC,WAAW,CAAE,GAAG,EAAE,aAAa,OAAO,IAAI,CAAE,CAAC;oCAC3D,CAAC;iCACD;6BACD;yBACD,CAAE,CAAC;oBACL,CAAC;gBACF,CAAC;YACF,CAAC;SACD,CAAC;IACH,CAAC;CACD,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/plugins/security/rules/jquery-executing.ts

@@ -0,0 +1,134 @@
+import {AST_NODE_TYPES, type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+import type {Type} from 'typescript';
+import {isSanitized} from '../helpers/dom-purify.js';
+import {getType} from '../helpers/ts-types.js';
+
+type UnsafeCalls =
+	'after'
+	| 'append'
+	| 'appendTo'
+	| 'before'
+	| 'html'
+	| 'insertAfter'
+	| 'insertBefore'
+	| 'prepend'
+	| 'prependTo'
+	| 'replaceAll'
+	| 'replaceWith';
+
+type Messages = 'needsEscaping' | 'sanitize' | 'domPurify';
+type Context = TSESLint.RuleContext<Messages, []>;
+
+
+/**
+ * @link https://docs.wpvip.com/security/javascript-security-recommendations/#h-stripping-tags
+ */
+const JQUERY_METHODS: UnsafeCalls[] = [
+	'after', 'append', 'appendTo', 'before', 'html',
+	'insertAfter', 'insertBefore', 'prepend', 'prependTo',
+	'replaceAll', 'replaceWith',
+];
+
+/**
+ * Is the type of variable being passed a jQuery element?
+ *
+ * - jQuery elements are of type `JQuery`.
+ * - jQuery elements do not require sanitization.
+ *
+ * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
+ */
+export function isJQueryElementType( arg: TSESTree.CallExpressionArgument, context: Context ): boolean {
+	const element: Type = getType<Context>( arg, context );
+	return 'JQuery' === element.getSymbol()?.escapedName;
+}
+
+
+function isJQueryMethod( methodName: string ): methodName is UnsafeCalls {
+	return JQUERY_METHODS.includes( methodName as UnsafeCalls );
+}
+
+export function isJQueryCall( node: TSESTree.CallExpression ): boolean {
+	if ( AST_NODE_TYPES.MemberExpression !== node.callee.type || ! ( 'name' in node.callee.property ) ) {
+		return false;
+	}
+	// Walk to the root object of the call chain
+	let obj = node.callee.object ?? null;
+	if ( null === obj ) {
+		return false;
+	}
+	while ( AST_NODE_TYPES.MemberExpression === obj.type ) {
+		obj = obj.object;
+	}
+	return ( AST_NODE_TYPES.CallExpression === obj.type && AST_NODE_TYPES.Identifier === obj.callee.type &&
+		( '$' === obj.callee.name || 'jQuery' === obj.callee.name )
+	);
+}
+
+
+export function getJQueryCall( node: TSESTree.CallExpression ): UnsafeCalls | null {
+	// Detect $(...).method(userInput) or jQuery(...).method(...)
+	if ( AST_NODE_TYPES.MemberExpression !== node.callee.type || ! ( 'name' in node.callee.property ) ) {
+		return null;
+	}
+	const methodName = node.callee.property.name;
+	if ( ! isJQueryMethod( methodName ) ) {
+		return null;
+	}
+	return isJQueryCall( node ) ? methodName : null;
+}
+
+const plugin: TSESLint.RuleModule<Messages> = {
+	defaultOptions: [],
+	meta: {
+		docs: {
+			description: 'Disallow using unsanitized values in jQuery methods that execute HTML',
+		},
+		hasSuggestions: true,
+		messages: {
+			needsEscaping: 'Any HTML used with `{{methodName}}` gets executed. Make sure it\'s properly escaped.',
+
+			// Suggestions
+			domPurify: 'Wrap the argument with a `DOMPurify.sanitize()` call.',
+			sanitize: 'Wrap the argument with a `sanitize()` call.',
+		},
+		schema: [],
+		type: 'problem',
+	},
+	create( context: Context ): TSESLint.RuleListener {
+		return {
+			CallExpression( node: TSESTree.CallExpression ) {
+				const methodName = getJQueryCall( node );
+				if ( null !== methodName ) {
+					const arg: TSESTree.CallExpressionArgument = node.arguments[ 0 ];
+					if ( ! isSanitized( arg ) && ! isJQueryElementType( arg, context ) ) {
+						context.report( {
+							node,
+							messageId: 'needsEscaping',
+							data: {
+								methodName,
+							},
+							suggest: [
+								{
+									messageId: 'domPurify',
+									fix: ( fixer: TSESLint.RuleFixer ) => {
+										const argText = context.sourceCode.getText( arg );
+										return fixer.replaceText( arg, `DOMPurify.sanitize( ${argText} )` );
+									},
+								},
+								{
+									messageId: 'sanitize',
+									fix: ( fixer: TSESLint.RuleFixer ) => {
+										const argText = context.sourceCode.getText( arg );
+										return fixer.replaceText( arg, `sanitize( ${argText} )` );
+									},
+								},
+							],
+						} );
+					}
+				}
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/security/rules/no-at-html-tags.js

@@ -0,0 +1,53 @@
+import {} from '@typescript-eslint/utils';
+import { isSanitized } from '../helpers/dom-purify.js';
+const plugin = {
+    defaultOptions: [],
+    meta: {
+        docs: {
+            description: 'disallow using `{@html}` to prevent XSS attack. Make sure it\'s properly escaped.',
+        },
+        schema: [],
+        messages: {
+            dangerousHtml: '`{@html}` can lead to XSS attack.',
+            // Suggestions
+            domPurify: 'Wrap the content with a `DOMPurify.sanitize()` call.',
+            sanitize: 'Wrap the content with a `sanitize()` call.',
+        },
+        hasSuggestions: true,
+        type: 'problem',
+    },
+    create(context) {
+        return {
+            'SvelteMustacheTag[kind=raw]'(node) {
+                if (isSanitized(node.expression)) {
+                    return;
+                }
+                const expression = node.expression;
+                context.report({
+                    node,
+                    messageId: 'dangerousHtml',
+                    suggest: [
+                        {
+                            messageId: 'domPurify',
+                            fix: (fixer) => {
+                                const argText = context.sourceCode.getText(expression);
+                                // @ts-expect-error - TS2345: Not a node, but has all required Node properties.
+                                return fixer.replaceText(node, `{@html DOMPurify.sanitize( ${argText} )}`);
+                            },
+                        },
+                        {
+                            messageId: 'sanitize',
+                            fix: (fixer) => {
+                                const argText = context.sourceCode.getText(expression);
+                                // @ts-expect-error - TS2345: Not a node, but has all required Node properties.
+                                return fixer.replaceText(node, `{@html sanitize( ${argText} )}`);
+                            },
+                        },
+                    ],
+                });
+            },
+        };
+    },
+};
+export default plugin;
+//# sourceMappingURL=no-at-html-tags.js.map

package/plugins/security/rules/no-at-html-tags.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-at-html-tags.js","sourceRoot":"","sources":["no-at-html-tags.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8B,MAAM,0BAA0B,CAAC;AAEtE,OAAO,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAmBrD,MAAM,MAAM,GAAW;IACtB,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACL,IAAI,EAAE;YACL,WAAW,EAAE,mFAAmF;SAChG;QACD,MAAM,EAAE,EAAE;QACV,QAAQ,EAAE;YACT,aAAa,EAAE,mCAAmC;YAElD,cAAc;YACd,SAAS,EAAE,sDAAsD;YACjE,QAAQ,EAAE,4CAA4C;SACtD;QACD,cAAc,EAAE,IAAI;QACpB,IAAI,EAAE,SAAS;KACf;IACD,MAAM,CAAE,OAAsB;QAC7B,OAAO;YACN,6BAA6B,CAAE,IAA2B;gBACzD,IAAK,WAAW,CAAE,IAAI,CAAC,UAAU,CAAE,EAAG,CAAC;oBACtC,OAAO;gBACR,CAAC;gBACD,MAAM,UAAU,GAAkB,IAAI,CAAC,UAA2B,CAAC;gBAEnE,OAAO,CAAC,MAAM,CAAE;oBACf,IAAI;oBACJ,SAAS,EAAE,eAAe;oBAC1B,OAAO,EAAE;wBACR;4BACC,SAAS,EAAE,WAAW;4BACtB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;gCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,UAAU,CAAE,CAAC;gCACzD,+EAA+E;gCAC/E,OAAO,KAAK,CAAC,WAAW,CAAE,IAAI,EAAE,8BAA8B,OAAO,KAAK,CAAE,CAAC;4BAC9E,CAAC;yBACD;wBACD;4BACC,SAAS,EAAE,UAAU;4BACrB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;gCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,UAAU,CAAE,CAAC;gCACzD,+EAA+E;gCAC/E,OAAO,KAAK,CAAC,WAAW,CAAE,IAAI,EAAE,oBAAoB,OAAO,KAAK,CAAE,CAAC;4BACpE,CAAC;yBACD;qBACD;iBACD,CAAE,CAAC;YACL,CAAC;SACD,CAAC;IACH,CAAC;CACD,CAAC;AAEF,eAAe,MAAM,CAAC"}