@lipemat/eslint-config 5.0.1 → 5.1.0-beta.1

package/plugins/security/rules/no-at-html-tags.ts

@@ -0,0 +1,74 @@
+import {type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+import type {AST} from 'svelte-eslint-parser';
+import {isSanitized} from '../helpers/dom-purify.js';
+
+
+type MessageIds = 'dangerousHtml' | 'domPurify' | 'sanitize';
+
+type RuleOptions = Exclude<TSESLint.ReportDescriptor<MessageIds>, 'node'> | {
+	node: AST.SvelteMustacheTag,
+	readonly messageId: MessageIds;
+	readonly suggest?: Readonly<TSESLint.ReportSuggestionArray<MessageIds>> | null;
+}
+
+interface SvelteContext extends TSESLint.RuleContext<MessageIds, []> {
+	report( options: RuleOptions ): void;
+}
+
+interface Module extends TSESLint.RuleModule<MessageIds> {
+	create( context: SvelteContext ): TSESLint.RuleListener;
+}
+
+const plugin: Module = {
+	defaultOptions: [],
+	meta: {
+		docs: {
+			description: 'disallow using `{@html}` to prevent XSS attack. Make sure it\'s properly escaped.',
+		},
+		schema: [],
+		messages: {
+			dangerousHtml: '`{@html}` can lead to XSS attack.',
+
+			// Suggestions
+			domPurify: 'Wrap the content with a `DOMPurify.sanitize()` call.',
+			sanitize: 'Wrap the content with a `sanitize()` call.',
+		},
+		hasSuggestions: true,
+		type: 'problem',
+	},
+	create( context: SvelteContext ) {
+		return {
+			'SvelteMustacheTag[kind=raw]'( node: AST.SvelteMustacheTag ) {
+				if ( isSanitized( node.expression ) ) {
+					return;
+				}
+				const expression: TSESTree.Node = node.expression as TSESTree.Node;
+
+				context.report( {
+					node,
+					messageId: 'dangerousHtml',
+					suggest: [
+						{
+							messageId: 'domPurify',
+							fix: ( fixer: TSESLint.RuleFixer ) => {
+								const argText = context.sourceCode.getText( expression );
+								// @ts-expect-error - TS2345: Not a node, but has all required Node properties.
+								return fixer.replaceText( node, `{@html DOMPurify.sanitize( ${argText} )}` );
+							},
+						},
+						{
+							messageId: 'sanitize',
+							fix: ( fixer: TSESLint.RuleFixer ) => {
+								const argText = context.sourceCode.getText( expression );
+								// @ts-expect-error - TS2345: Not a node, but has all required Node properties.
+								return fixer.replaceText( node, `{@html sanitize( ${argText} )}` );
+							},
+						},
+					],
+				} );
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/security/rules/vulnerable-tag-stripping.js

@@ -73,3 +73,4 @@ const plugin = {
     },
 };
 export default plugin;
+//# sourceMappingURL=vulnerable-tag-stripping.js.map

package/plugins/security/rules/vulnerable-tag-stripping.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vulnerable-tag-stripping.js","sourceRoot":"","sources":["vulnerable-tag-stripping.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAA+B,MAAM,0BAA0B,CAAC;AACtF,OAAO,EAAC,YAAY,EAAC,MAAM,uBAAuB,CAAC;AAMnD;;;;;;GAMG;AACH,SAAS,eAAe,CAAE,IAA6B;IACtD,kCAAkC;IAClC,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,CAAE,CAAE,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAE,EAAG,CAAC;QACpG,OAAO,IAAI,CAAC;IACb,CAAC;IAED,IAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAG,CAAC;QAC5C,OAAO,IAAI,CAAC;IACb,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IACtC,IAAK,cAAc,CAAC,cAAc,KAAK,UAAU,CAAC,IAAI,EAAG,CAAC;QACzD,OAAO,IAAI,CAAC;IACb,CAAC;IAED,IAAK,cAAc,CAAC,gBAAgB,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAE,CAAE,MAAM,IAAI,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAE,EAAG,CAAC;QAChH,OAAO,IAAI,CAAC;IACb,CAAC;IAED,IAAK,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAG,CAAC;QAClD,OAAO,IAAI,CAAC;IACb,CAAC;IAED,OAAO,YAAY,CAAE,UAAU,CAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAGD,MAAM,MAAM,GAAkC;IAC7C,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACL,IAAI,EAAE;YACL,WAAW,EAAE,qFAAqF;SAClG;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACT,sBAAsB,EAAE,8FAA8F;YACtH,WAAW,EAAE,iDAAiD;SAC9D;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KACf;IACD,MAAM,CAAE,OAAgB;QACvB,OAAO;YACN,cAAc,CAAE,IAA6B;gBAC5C,MAAM,YAAY,GAAG,eAAe,CAAE,IAAI,CAAE,CAAC;gBAC7C,IAAK,IAAI,KAAK,YAAY,EAAG,CAAC;oBAC7B,OAAO;gBACR,CAAC;gBACD,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC;gBAC3C,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,CAAC;gBACvC,IAAK,cAAc,CAAC,cAAc,KAAK,UAAU,CAAC,IAAI,EAAG,CAAC;oBACzD,OAAO;gBACR,CAAC;gBACD,MAAM,OAAO,GAAG,UAAU,CAAC,SAAS,CAAE,CAAC,CAAE,CAAC;gBAE1C,OAAO,CAAC,MAAM,CAAE;oBACf,IAAI;oBACJ,SAAS,EAAE,wBAAwB;oBACnC,OAAO,EAAE;wBACR;4BACC,SAAS,EAAE,aAAa;4BACxB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;gCACpC,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,cAAc,CAAE,CAAC;gCAClE,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,OAAO,CAAE,CAAC;gCACtD,OAAO,KAAK,CAAC,WAAW,CAAE,IAAI,EAAE,GAAG,YAAY,UAAU,OAAO,IAAI,CAAE,CAAC;4BACxE,CAAC;yBACD;qBACD;iBACD,CAAE,CAAC;YACL,CAAC;SACD,CAAC;IACH,CAAC;CACD,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/plugins/security/rules/vulnerable-tag-stripping.ts

@@ -0,0 +1,89 @@
+import {AST_NODE_TYPES, type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+import {isJQueryCall} from './jquery-executing.js';
+
+type Messages = 'vulnerableTagStripping' | 'useTextOnly';
+type Context = TSESLint.RuleContext<Messages, []>;
+
+
+/**
+ * Detects a vulnerable tag stripping pattern: .html(value).text()
+ *
+ * This pattern can lead to XSS vulnerabilities when HTML is inserted and then text is extracted.
+ *
+ * @link https://docs.wpvip.com/security/javascript-security-recommendations/#h-stripping-tags
+ */
+function isTextAfterHtml( node: TSESTree.CallExpression ): TSESTree.MemberExpression | null {
+	// Check if this is a .text() call
+	if ( AST_NODE_TYPES.MemberExpression !== node.callee.type || ! ( 'name' in node.callee.property ) ) {
+		return null;
+	}
+
+	if ( node.callee.property.name !== 'text' ) {
+		return null;
+	}
+
+	const parentCall = node.callee.object;
+	if ( AST_NODE_TYPES.CallExpression !== parentCall.type ) {
+		return null;
+	}
+
+	if ( AST_NODE_TYPES.MemberExpression !== parentCall.callee.type || ! ( 'name' in parentCall.callee.property ) ) {
+		return null;
+	}
+
+	if ( parentCall.callee.property.name !== 'html' ) {
+		return null;
+	}
+
+	return isJQueryCall( parentCall ) ? parentCall.callee : null;
+}
+
+
+const plugin: TSESLint.RuleModule<Messages> = {
+	defaultOptions: [],
+	meta: {
+		docs: {
+			description: 'Disallow jQuery .html().text() chaining which can lead to XSS through tag stripping',
+		},
+		hasSuggestions: true,
+		messages: {
+			vulnerableTagStripping: 'Using .html().text() can lead to XSS vulnerabilities through tag stripping. Use only .text()',
+			useTextOnly: 'Remove .html() and move the argument to .text()',
+		},
+		schema: [],
+		type: 'problem',
+	},
+	create( context: Context ): TSESLint.RuleListener {
+		return {
+			CallExpression( node: TSESTree.CallExpression ) {
+				const htmlProperty = isTextAfterHtml( node );
+				if ( null === htmlProperty ) {
+					return;
+				}
+				const jquerySelector = htmlProperty.object;
+				const parentCall = htmlProperty.parent;
+				if ( AST_NODE_TYPES.CallExpression !== parentCall.type ) {
+					return;
+				}
+				const htmlArg = parentCall.arguments[ 0 ];
+
+				context.report( {
+					node,
+					messageId: 'vulnerableTagStripping',
+					suggest: [
+						{
+							messageId: 'useTextOnly',
+							fix: ( fixer: TSESLint.RuleFixer ) => {
+								const selectorText = context.sourceCode.getText( jquerySelector );
+								const argText = context.sourceCode.getText( htmlArg );
+								return fixer.replaceText( node, `${selectorText}.text( ${argText} )` );
+							},
+						},
+					],
+				} );
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/security/rules/window-escaping.js

@@ -57,7 +57,7 @@ const plugin = {
         messages: {
             unsafeWindow: 'Assignment to "{{propName}}" must be sanitized.',
             unsafeWindowLocation: 'Assignment to window.location.{{propName}} must be sanitized.',
-            unsafeRead: 'Data from JS global {{propName}} may contain user-supplied values and should be sanitized before output to prevent XSS.',
+            unsafeRead: 'Data from JS global {{propName}} may contain user-supplied values and should be sanitized before using to prevent XSS.',
             // Suggestions
             domPurify: 'Wrap the argument with a `DOMPurify.sanitize()` call.',
             sanitize: 'Wrap the argument with a `sanitize()` call.',
@@ -179,3 +179,4 @@ const plugin = {
     },
 };
 export default plugin;
+//# sourceMappingURL=window-escaping.js.map

package/plugins/security/rules/window-escaping.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"window-escaping.js","sourceRoot":"","sources":["window-escaping.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAA+B,MAAM,0BAA0B,CAAC;AACtF,OAAO,EAAC,eAAe,EAAC,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAarD,4DAA4D;AAC5D,MAAM,cAAc,GAAG,IAAI,GAAG,CAAE,CAAE,MAAM,EAAE,KAAK,EAAE,QAAQ;IACxD,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ;CAClG,CAAE,CAAC;AAEJ,MAAM,YAAY,GAAG,IAAI,GAAG,CAAE,CAAE,MAAM,EAAE,QAAQ,CAAE,CAAE,CAAC;AAErD,MAAM,UAAU,eAAe,CAAE,KAAa;IAC7C,OAAO,CAAE,wDAAwD,CAAC,IAAI,CAAE,kBAAkB,CAAE,KAAK,CAAC,OAAO,CAAE,yBAAyB,EAAE,EAAE,CAAE,CAAE,CAAE,CAAC;AAChJ,CAAC;AAGD,SAAS,gBAAgB,CAAE,IAAyB;IACnD,OAAO,eAAe,CAAE,IAAI,CAAE,IAAI,eAAe,CAAE,IAAI,CAAC,KAAK,CAAE,CAAC;AACjE,CAAC;AAGD,SAAS,0BAA0B,CAAE,IAAmC;IACvE,+BAA+B;IAC/B,OAAO,CACN,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI;QAClD,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI;QACzD,cAAc,CAAC,UAAU,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI;QAC5D,cAAc,CAAC,UAAU,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI;QAC1D,cAAc,CAAC,UAAU,KAAK,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI;QACrD,QAAQ,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI;QACzC,UAAU,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI;QAC7C,cAAc,CAAC,GAAG,CAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAE,CAC7C,CAAC;AACH,CAAC;AAGD,SAAS,kBAAkB,CAAE,IAAmC;IAC/D,sBAAsB;IACtB,OAAO,CACN,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI;QAClD,cAAc,CAAC,UAAU,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI;QACnD,cAAc,CAAC,UAAU,KAAK,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI;QACrD,QAAQ,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI;QAClC,YAAY,CAAC,GAAG,CAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAE,CAC3C,CAAC;AACH,CAAC;AAGD,SAAS,kBAAkB,CAAE,UAAqC;IACjE,mDAAmD;IACnD,IAAK,cAAc,CAAC,gBAAgB,KAAK,UAAU,CAAC,IAAI,EAAG,CAAC;QAC3D,OAAO,KAAK,CAAC;IACd,CAAC;IACD,IAAK,cAAc,CAAC,UAAU,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,QAAQ,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,EAAG,CAAC;QACnG,OAAO,IAAI,CAAC;IACb,CAAC;IACD,IAAK,cAAc,CAAC,gBAAgB,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,EAAG,CAAC;QAClE,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC;QACvC,MAAM,cAAc,GAAG,cAAc,CAAC,UAAU,KAAK,YAAY,CAAC,MAAM,CAAC,IAAI,IAAI,QAAQ,KAAK,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC;QACvH,MAAM,kBAAkB,GAAG,cAAc,CAAC,UAAU,KAAK,YAAY,CAAC,QAAQ,CAAC,IAAI,IAAI,UAAU,KAAK,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC;QAEjI,OAAO,cAAc,IAAI,kBAAkB,CAAC;IAC7C,CAAC;IAED,OAAO,KAAK,CAAC;AACd,CAAC;AAGD,MAAM,MAAM,GAAkC;IAC7C,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE;YACL,WAAW,EAAE,qEAAqE;SAClF;QACD,QAAQ,EAAE;YACT,YAAY,EAAE,iDAAiD;YAC/D,oBAAoB,EAAE,+DAA+D;YACrF,UAAU,EAAE,wHAAwH;YAEpI,cAAc;YACd,SAAS,EAAE,uDAAuD;YAClE,QAAQ,EAAE,6CAA6C;SACvD;QACD,MAAM,EAAE,EAAE;QACV,cAAc,EAAE,IAAI;KACpB;IACD,MAAM,CAAE,OAAgB;QACvB,OAAO;YACN,oBAAoB,CAAE,IAAmC;gBACxD,MAAM,KAAK,GAAwB,IAAI,CAAC,KAAK,CAAC;gBAC9C,IAAK,cAAc,CAAC,gBAAgB,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAE,CAAE,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAE,EAAG,CAAC;oBAChG,OAAO;gBACR,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAEzC,+BAA+B;gBAC/B,IAAK,0BAA0B,CAAE,IAAI,CAAE,EAAG,CAAC;oBAC1C,MAAM,WAAW,GAAwB,KAAK,CAAC;oBAC/C,IAAK,CAAE,cAAc,CAAC,GAAG,CAAE,QAAQ,CAAE,EAAG,CAAC;wBACxC,OAAO;oBACR,CAAC;oBACD,IAAK,gBAAgB,CAAE,WAAW,CAAE,IAAI,WAAW,CAAE,WAAW,CAAE,EAAG,CAAC;wBACrE,OAAO;oBACR,CAAC;oBACD,OAAO,CAAC,MAAM,CAAE;wBACf,IAAI;wBACJ,SAAS,EAAE,sBAAsB;wBACjC,IAAI,EAAE;4BACL,QAAQ;yBACR;wBACD,OAAO,EAAE;4BACR;gCACC,SAAS,EAAE,UAAU;gCACrB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;oCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,KAAK,CAAE,CAAC;oCACpD,OAAO,KAAK,CAAC,WAAW,CAAE,KAAK,EAAE,aAAa,OAAO,IAAI,CAAE,CAAC;gCAC7D,CAAC;6BACD,EAAE;gCACF,SAAS,EAAE,WAAW;gCACtB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;oCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,KAAK,CAAE,CAAC;oCACpD,OAAO,KAAK,CAAC,WAAW,CAAE,KAAK,EAAE,uBAAuB,OAAO,IAAI,CAAE,CAAC;gCACvE,CAAC;6BACD;yBACD;qBACD,CAAE,CAAC;oBACJ,OAAO;gBACR,CAAC;gBAED,sBAAsB;gBACtB,IAAK,kBAAkB,CAAE,IAAI,CAAE,EAAG,CAAC;oBAClC,IAAK,WAAW,CAAE,IAAI,CAAC,KAAK,CAAE,EAAG,CAAC;wBACjC,OAAO;oBACR,CAAC;oBACD,OAAO,CAAC,MAAM,CAAE;wBACf,IAAI;wBACJ,SAAS,EAAE,cAAc;wBACzB,IAAI,EAAE;4BACL,QAAQ;yBACR;wBACD,OAAO,EAAE;4BACR;gCACC,SAAS,EAAE,UAAU;gCACrB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;oCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,KAAK,CAAE,CAAC;oCACpD,OAAO,KAAK,CAAC,WAAW,CAAE,KAAK,EAAE,aAAa,OAAO,IAAI,CAAE,CAAC;gCAC7D,CAAC;6BACD,EAAE;gCACF,SAAS,EAAE,WAAW;gCACtB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;oCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,KAAK,CAAE,CAAC;oCACpD,OAAO,KAAK,CAAC,WAAW,CAAE,KAAK,EAAE,uBAAuB,OAAO,IAAI,CAAE,CAAC;gCACvE,CAAC;6BACD;yBACD;qBACD,CAAE,CAAC;gBACL,CAAC;YACF,CAAC;YAGD,wDAAwD;YACxD,gBAAgB,CAAE,IAA+B;gBAChD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;gBAC3B,IAAK,cAAc,CAAC,oBAAoB,KAAK,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,EAAG,CAAC;oBACnF,OAAO;gBACR,CAAC;gBAED,IAAK,CAAE,kBAAkB,CAAE,IAAI,CAAE,IAAI,CAAE,CAAE,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAE,EAAG,CAAC;oBACrE,OAAO;gBACR,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACpC,IAAK,CAAE,cAAc,CAAC,GAAG,CAAE,QAAQ,CAAE,EAAG,CAAC;oBACxC,OAAO;gBACR,CAAC;gBAED,IAAK,cAAc,CAAC,cAAc,KAAK,MAAM,CAAC,IAAI,IAAI,WAAW,CAAE,MAAM,CAAE,EAAG,CAAC;oBAC9E,OAAO;gBACR,CAAC;gBAED,OAAO,CAAC,MAAM,CAAE;oBACf,IAAI;oBACJ,SAAS,EAAE,YAAY;oBACvB,IAAI,EAAE;wBACL,QAAQ;qBACR;oBACD,OAAO,EAAE;wBACR;4BACC,SAAS,EAAE,UAAU;4BACrB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;gCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,IAAI,CAAE,CAAC;gCACnD,OAAO,KAAK,CAAC,WAAW,CAAE,IAAI,EAAE,aAAa,OAAO,IAAI,CAAE,CAAC;4BAC5D,CAAC;yBACD;wBACD;4BACC,SAAS,EAAE,WAAW;4BACtB,GAAG,EAAE,CAAE,KAAyB,EAAG,EAAE;gCACpC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAE,IAAI,CAAE,CAAC;gCACnD,OAAO,KAAK,CAAC,WAAW,CAAE,IAAI,EAAE,uBAAuB,OAAO,IAAI,CAAE,CAAC;4BACtE,CAAC;yBACD;qBACD;iBACD,CAAE,CAAC;YACL,CAAC;SACD,CAAC;IACH,CAAC;CACD,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/plugins/security/rules/window-escaping.ts

@@ -0,0 +1,220 @@
+import {AST_NODE_TYPES, type TSESLint, type TSESTree} from '@typescript-eslint/utils';
+import {isLiteralString} from '../helpers/string.js';
+import {isSanitized} from '../helpers/dom-purify.js';
+
+
+type Messages =
+	'unsafeWindow'
+	| 'unsafeRead'
+	| 'unsafeWindowLocation'
+	| 'domPurify'
+	| 'sanitize'
+
+type Context = TSESLint.RuleContext<Messages, []>;
+
+
+// Window and location properties that need special handling
+const LOCATION_PROPS = new Set( [ 'href', 'src', 'action',
+	'protocol', 'host', 'hostname', 'pathname', 'search', 'hash', 'username', 'port', 'name', 'status',
+] );
+
+const WINDOW_PROPS = new Set( [ 'name', 'status' ] );
+
+export function isSafeUrlString( value: string ): boolean {
+	return ! /^\s*(?:javascript|data|vbscript|about|livescript)\s*:/i.test( decodeURIComponent( value.replace( /[\u0000-\u001F\u007F]+/g, '' ) ) );
+}
+
+
+function isSafeUrlLiteral( node: TSESTree.Expression ): boolean {
+	return isLiteralString( node ) && isSafeUrlString( node.value );
+}
+
+
+function isWindowLocationAssignment( node: TSESTree.AssignmentExpression ): boolean {
+	// window.location.<prop> = ...
+	return (
+		AST_NODE_TYPES.MemberExpression === node.left.type &&
+		AST_NODE_TYPES.MemberExpression === node.left.object.type &&
+		AST_NODE_TYPES.Identifier === node.left.object.property.type &&
+		AST_NODE_TYPES.Identifier === node.left.object.object.type &&
+		AST_NODE_TYPES.Identifier === node.left.property.type &&
+		'window' === node.left.object.object.name &&
+		'location' === node.left.object.property.name &&
+		LOCATION_PROPS.has( node.left.property.name )
+	);
+}
+
+
+function isWindowAssignment( node: TSESTree.AssignmentExpression ): boolean {
+	// window.<prop> = ...
+	return (
+		AST_NODE_TYPES.MemberExpression === node.left.type &&
+		AST_NODE_TYPES.Identifier === node.left.object.type &&
+		AST_NODE_TYPES.Identifier === node.left.property.type &&
+		'window' === node.left.object.name &&
+		WINDOW_PROPS.has( node.left.property.name )
+	);
+}
+
+
+function isWindowOrLocation( expression: TSESTree.MemberExpression ): boolean {
+	// Helper to detect a window.* or window.location.*
+	if ( AST_NODE_TYPES.MemberExpression !== expression.type ) {
+		return false;
+	}
+	if ( AST_NODE_TYPES.Identifier === expression.object.type && 'window' === expression.object.name ) {
+		return true;
+	}
+	if ( AST_NODE_TYPES.MemberExpression === expression.object.type ) {
+		const memberObject = expression.object;
+		const isObjectWindow = AST_NODE_TYPES.Identifier === memberObject.object.type && 'window' === memberObject.object.name;
+		const isPropertyLocation = AST_NODE_TYPES.Identifier === memberObject.property.type && 'location' === memberObject.property.name;
+
+		return isObjectWindow && isPropertyLocation;
+	}
+
+	return false;
+}
+
+
+const plugin: TSESLint.RuleModule<Messages> = {
+	defaultOptions: [],
+	meta: {
+		type: 'problem',
+		docs: {
+			description: 'Require proper escaping for the window and location property access',
+		},
+		messages: {
+			unsafeWindow: 'Assignment to "{{propName}}" must be sanitized.',
+			unsafeWindowLocation: 'Assignment to window.location.{{propName}} must be sanitized.',
+			unsafeRead: 'Data from JS global {{propName}} may contain user-supplied values and should be sanitized before using to prevent XSS.',
+
+			// Suggestions
+			domPurify: 'Wrap the argument with a `DOMPurify.sanitize()` call.',
+			sanitize: 'Wrap the argument with a `sanitize()` call.',
+		},
+		schema: [],
+		hasSuggestions: true,
+	},
+	create( context: Context ): TSESLint.RuleListener {
+		return {
+			AssignmentExpression( node: TSESTree.AssignmentExpression ): void {
+				const right: TSESTree.Expression = node.right;
+				if ( AST_NODE_TYPES.MemberExpression !== node.left.type || ! ( 'name' in node.left.property ) ) {
+					return;
+				}
+				const propName = node.left.property.name;
+
+				// window.location.<prop> = ...
+				if ( isWindowLocationAssignment( node ) ) {
+					const rhsResolved: TSESTree.Expression = right;
+					if ( ! LOCATION_PROPS.has( propName ) ) {
+						return;
+					}
+					if ( isSafeUrlLiteral( rhsResolved ) || isSanitized( rhsResolved ) ) {
+						return;
+					}
+					context.report( {
+						node,
+						messageId: 'unsafeWindowLocation',
+						data: {
+							propName,
+						},
+						suggest: [
+							{
+								messageId: 'sanitize',
+								fix: ( fixer: TSESLint.RuleFixer ) => {
+									const argText = context.sourceCode.getText( right );
+									return fixer.replaceText( right, `sanitize( ${argText} )` );
+								},
+							}, {
+								messageId: 'domPurify',
+								fix: ( fixer: TSESLint.RuleFixer ) => {
+									const argText = context.sourceCode.getText( right );
+									return fixer.replaceText( right, `DOMPurify.sanitize( ${argText} )` );
+								},
+							},
+						],
+					} );
+					return;
+				}
+
+				// window.<prop> = ...
+				if ( isWindowAssignment( node ) ) {
+					if ( isSanitized( node.right ) ) {
+						return;
+					}
+					context.report( {
+						node,
+						messageId: 'unsafeWindow',
+						data: {
+							propName,
+						},
+						suggest: [
+							{
+								messageId: 'sanitize',
+								fix: ( fixer: TSESLint.RuleFixer ) => {
+									const argText = context.sourceCode.getText( right );
+									return fixer.replaceText( right, `sanitize( ${argText} )` );
+								},
+							}, {
+								messageId: 'domPurify',
+								fix: ( fixer: TSESLint.RuleFixer ) => {
+									const argText = context.sourceCode.getText( right );
+									return fixer.replaceText( right, `DOMPurify.sanitize( ${argText} )` );
+								},
+							},
+						],
+					} );
+				}
+			},
+
+
+			// Check for reading from the window.location properties
+			MemberExpression( node: TSESTree.MemberExpression ): void {
+				const parent = node.parent;
+				if ( AST_NODE_TYPES.AssignmentExpression === parent.type && parent.left === node ) {
+					return;
+				}
+
+				if ( ! isWindowOrLocation( node ) || ! ( 'name' in node.property ) ) {
+					return;
+				}
+				const propName = node.property.name;
+				if ( ! LOCATION_PROPS.has( propName ) ) {
+					return;
+				}
+
+				if ( AST_NODE_TYPES.CallExpression === parent.type && isSanitized( parent ) ) {
+					return;
+				}
+
+				context.report( {
+					node,
+					messageId: 'unsafeRead',
+					data: {
+						propName,
+					},
+					suggest: [
+						{
+							messageId: 'sanitize',
+							fix: ( fixer: TSESLint.RuleFixer ) => {
+								const argText = context.sourceCode.getText( node );
+								return fixer.replaceText( node, `sanitize( ${argText} )` );
+							},
+						},
+						{
+							messageId: 'domPurify',
+							fix: ( fixer: TSESLint.RuleFixer ) => {
+								const argText = context.sourceCode.getText( node );
+								return fixer.replaceText( node, `DOMPurify.sanitize( ${argText} )` );
+							},
+						},
+					],
+				} );
+			},
+		};
+	},
+};
+
+export default plugin;

package/plugins/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../tsconfig.json",
+  "include": [
+    "./**/*.ts",
+    "../helpers/**/*.ts",
+    "../index.ts"
+  ]
+}

package/types/index.d.ts

@@ -1,3 +0,0 @@
-import type { FlatConfig } from '@typescript-eslint/utils/ts-eslint';
-declare const _default: (FlatConfig.Config | import("eslint").Linter.Config<import("eslint").Linter.RulesRecord>)[];
-export default _default;

package/types/plugins/security/helpers/dom-purify.d.ts

@@ -1,6 +0,0 @@
-import { type TSESTree } from '@typescript-eslint/utils';
-/**
- * Check if a node is a call to a known sanitization function.
- * - Currently recognizes `sanitize(...)` and `DOMPurify.sanitize(...)`.
- */
-export declare function isSanitized(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;

package/types/plugins/security/helpers/element.d.ts

@@ -1,10 +0,0 @@
-import type { TSESLint, TSESTree } from '@typescript-eslint/utils';
-/**
- * Is the type of variable being passed a DOM element?
- *
- * - DOM elements are of the type `HTML{*}Element`.
- * - DOM elements do not require sanitization.
- *
- * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
- */
-export declare function isDomElementType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): boolean;

package/types/plugins/security/helpers/string.d.ts

@@ -1,20 +0,0 @@
-import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
-/**
- * Is the node of type string.
- * - String literals.
- * - constants of type string.
- * - template literals.
- * - intrinsic type string.
- */
-export declare function isStringLike(node: TSESTree.CallExpressionArgument, context: Readonly<TSESLint.RuleContext<string, readonly []>>): boolean;
-/**
- * Check if a node is a literal string
- */
-export declare function isLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): node is TSESTree.StringLiteral;
-/**
- * Check if a node is a literal string that is safe to use in an HTML context.
- * - Must be a literal string. Or a conditional expression where both branches are safe literal strings.
- * - Must not contain `<script`.
- * - Must not start with a dangerous protocol (javascript:, data:, vbscript:, about:, livescript:).
- */
-export declare function isSafeLiteralString(node: TSESTree.Property['value'] | TSESTree.CallExpressionArgument): boolean;

package/types/plugins/security/helpers/ts-types.d.ts

@@ -1,6 +0,0 @@
-import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
-import type { Type } from 'typescript';
-/**
- * Get the TypeScript type of node.
- */
-export declare function getType<Context extends Readonly<TSESLint.RuleContext<string, readonly []>>>(expression: TSESTree.CallExpressionArgument, context: Context): Type;

package/types/plugins/security/index.d.ts

@@ -1,8 +0,0 @@
-import type { FlatConfig } from '@typescript-eslint/utils/ts-eslint';
-type Plugin = FlatConfig.Plugin & {
-    configs: {
-        recommended: FlatConfig.Config;
-    };
-};
-declare const plugin: Plugin;
-export default plugin;

package/types/plugins/security/rules/dangerously-set-inner-html.d.ts

@@ -1,4 +0,0 @@
-import { type TSESLint } from '@typescript-eslint/utils';
-type Messages = 'dangerousInnerHtml' | 'sanitize' | 'domPurify';
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;

package/types/plugins/security/rules/html-executing-assignment.d.ts

@@ -1,4 +0,0 @@
-import { type TSESLint } from '@typescript-eslint/utils';
-type Messages = 'executed' | 'sanitize' | 'domPurify';
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;

package/types/plugins/security/rules/html-executing-function.d.ts

@@ -1,6 +0,0 @@
-import { type TSESLint } from '@typescript-eslint/utils';
-type HtmlExecutingFunctions = 'document.write' | 'document.writeln';
-type UnsafeCalls = 'after' | 'append' | 'before' | 'insertAdjacentHTML' | 'prepend' | 'replaceWith' | 'setAttribute';
-type Messages = HtmlExecutingFunctions | UnsafeCalls | 'sanitize' | 'domPurify';
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;

package/types/plugins/security/rules/html-sinks.d.ts

@@ -1,4 +0,0 @@
-import { type TSESLint } from '@typescript-eslint/utils';
-type Messages = 'setTimeoutString' | 'setIntervalString' | 'windowOpenUnsanitized' | 'cssTextUnsanitized' | 'sanitize' | 'domPurify';
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;

package/types/plugins/security/rules/html-string-concat.d.ts

@@ -1,9 +0,0 @@
-import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
-/**
- * Check if an expression contains any HTML-like strings.
- * - Looks for `<` or `>` characters in string literals and template literals.
- * - Recursively checks binary expressions with the ` + ` operator.
- */
-export declare function hasHtmlLikeStrings(node: TSESTree.Expression | TSESTree.PrivateIdentifier): boolean;
-declare const plugin: TSESLint.RuleModule<'htmlStringConcat'>;
-export default plugin;

package/types/plugins/security/rules/jquery-executing.d.ts

@@ -1,17 +0,0 @@
-import { type TSESLint, type TSESTree } from '@typescript-eslint/utils';
-type UnsafeCalls = 'after' | 'append' | 'appendTo' | 'before' | 'html' | 'insertAfter' | 'insertBefore' | 'prepend' | 'prependTo' | 'replaceAll' | 'replaceWith';
-type Messages = 'needsEscaping' | 'sanitize' | 'domPurify';
-type Context = TSESLint.RuleContext<Messages, []>;
-/**
- * Is the type of variable being passed a jQuery element?
- *
- * - jQuery elements are of type `JQuery`.
- * - jQuery elements do not require sanitization.
- *
- * @link https://typescript-eslint.io/developers/custom-rules/#typed-rules
- */
-export declare function isJQueryElementType(arg: TSESTree.CallExpressionArgument, context: Context): boolean;
-export declare function isJQueryCall(node: TSESTree.CallExpression): boolean;
-export declare function getJQueryCall(node: TSESTree.CallExpression): UnsafeCalls | null;
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;

package/types/plugins/security/rules/vulnerable-tag-stripping.d.ts

@@ -1,4 +0,0 @@
-import { type TSESLint } from '@typescript-eslint/utils';
-type Messages = 'vulnerableTagStripping' | 'useTextOnly';
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;

package/types/plugins/security/rules/window-escaping.d.ts

@@ -1,5 +0,0 @@
-import { type TSESLint } from '@typescript-eslint/utils';
-type Messages = 'unsafeWindow' | 'unsafeRead' | 'unsafeWindowLocation' | 'domPurify' | 'sanitize';
-export declare function isSafeUrlString(value: string): boolean;
-declare const plugin: TSESLint.RuleModule<Messages>;
-export default plugin;