eslint-plugin-sdl-2 1.0.4

package/dist/rules/no-nonnull-assertion-on-security-input.js

@@ -0,0 +1,48 @@
+import { createRule } from "../_internal/create-rule.js";
+const SECURITY_INPUT_PATTERN = /html|input|message|origin|payload|token|url/iu;
+const isSecuritySensitiveExpression = (expression) => {
+    if (expression.type === "Identifier") {
+        return SECURITY_INPUT_PATTERN.test(expression.name);
+    }
+    if (expression.type === "MemberExpression" &&
+        !expression.computed &&
+        expression.property.type === "Identifier") {
+        return SECURITY_INPUT_PATTERN.test(expression.property.name);
+    }
+    return false;
+};
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        return {
+            TSNonNullExpression(node) {
+                if (!isSecuritySensitiveExpression(node.expression)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node,
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow non-null assertions on likely security-sensitive input values.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-nonnull-assertion-on-security-input",
+        },
+        messages: {
+            default: "Avoid non-null assertions on security-sensitive inputs; validate before use.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-nonnull-assertion-on-security-input",
+});
+export default rule;
+/* eslint-enable @typescript-eslint/prefer-readonly-parameter-types -- Restore linting after rule implementation declarations. */
+//# sourceMappingURL=no-nonnull-assertion-on-security-input.js.map

package/dist/rules/no-nonnull-assertion-on-security-input.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-nonnull-assertion-on-security-input.js","sourceRoot":"","sources":["../../src/rules/no-nonnull-assertion-on-security-input.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,MAAM,sBAAsB,GAAG,+CAA+C,CAAC;AAE/E,MAAM,6BAA6B,GAAG,CAClC,UAA+B,EACxB,EAAE;IACT,IAAI,UAAU,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACnC,OAAO,sBAAsB,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACxD,CAAC;IAED,IACI,UAAU,CAAC,IAAI,KAAK,kBAAkB;QACtC,CAAC,UAAU,CAAC,QAAQ;QACpB,UAAU,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAC3C,CAAC;QACC,OAAO,sBAAsB,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,OAAO;YACH,mBAAmB,CAAC,IAAkC;gBAClD,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAClD,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI;iBACP,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,yEAAyE;YAC7E,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,oGAAoG;SAC5G;QACD,QAAQ,EAAE;YACN,OAAO,EACH,8EAA8E;SACrF;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,wCAAwC;CACjD,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC;AACpB,iIAAiI"}

package/dist/rules/no-postmessage-star-origin.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-postmessage-star-origin.d.ts.map

package/dist/rules/no-postmessage-star-origin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-postmessage-star-origin.d.ts","sourceRoot":"","sources":["../../src/rules/no-postmessage-star-origin.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CAwEtC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-postmessage-star-origin.js

@@ -0,0 +1,58 @@
+import { arrayIncludes, isDefined } from "ts-extras";
+import { getFullTypeChecker, getNodeTypeAsString, } from "../_internal/ast-utils.js";
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        const fullTypeChecker = getFullTypeChecker(context);
+        return {
+            "CallExpression[arguments.length>=2][arguments.length<=3][callee.property.name='postMessage']"(node) {
+                const [, targetOrigin] = node.arguments;
+                if (!isDefined(targetOrigin) ||
+                    targetOrigin.type !== "Literal" ||
+                    targetOrigin.value !== "*") {
+                    return;
+                }
+                if (isDefined(fullTypeChecker) &&
+                    node.callee.type === "MemberExpression") {
+                    const calleeObjectType = getNodeTypeAsString(fullTypeChecker, node.callee.object, context);
+                    if (!arrayIncludes(["any", "Window"], calleeObjectType)) {
+                        return;
+                    }
+                }
+                context.report({
+                    messageId: "default",
+                    node: targetOrigin,
+                    suggest: [
+                        {
+                            fix(fixer) {
+                                return fixer.replaceText(targetOrigin, "location.origin");
+                            },
+                            messageId: "replaceWithExplicitOrigin",
+                        },
+                    ],
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow '*' targetOrigin in postMessage calls to prevent cross-origin data leakage.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-postmessage-star-origin",
+        },
+        hasSuggestions: true,
+        messages: {
+            default: "Do not use '*' as targetOrigin when sending data with postMessage.",
+            replaceWithExplicitOrigin: "Replace '*' with a specific trusted origin, such as location.origin.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-postmessage-star-origin",
+});
+export default rule;
+//# sourceMappingURL=no-postmessage-star-origin.js.map

package/dist/rules/no-postmessage-star-origin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-postmessage-star-origin.js","sourceRoot":"","sources":["../../src/rules/no-postmessage-star-origin.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAErD,OAAO,EACH,kBAAkB,EAClB,mBAAmB,GACtB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,MAAM,eAAe,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAEpD,OAAO;YACH,8FAA8F,CAC1F,IAA6B;gBAE7B,MAAM,CAAC,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBAExC,IACI,CAAC,SAAS,CAAC,YAAY,CAAC;oBACxB,YAAY,CAAC,IAAI,KAAK,SAAS;oBAC/B,YAAY,CAAC,KAAK,KAAK,GAAG,EAC5B,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,IACI,SAAS,CAAC,eAAe,CAAC;oBAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EACzC,CAAC;oBACC,MAAM,gBAAgB,GAAG,mBAAmB,CACxC,eAAe,EACf,IAAI,CAAC,MAAM,CAAC,MAAM,EAClB,OAAO,CACV,CAAC;oBAEF,IAAI,CAAC,aAAa,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,gBAAgB,CAAC,EAAE,CAAC;wBACtD,OAAO;oBACX,CAAC;gBACL,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,YAAY;oBAClB,OAAO,EAAE;wBACL;4BACI,GAAG,CAAC,KAAK;gCACL,OAAO,KAAK,CAAC,WAAW,CACpB,YAAY,EACZ,iBAAiB,CACpB,CAAC;4BACN,CAAC;4BACD,SAAS,EAAE,2BAA2B;yBACzC;qBACJ;iBACJ,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,sFAAsF;YAC1F,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,wFAAwF;SAChG;QACD,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE;YACN,OAAO,EACH,oEAAoE;YACxE,yBAAyB,EACrB,sEAAsE;SAC7E;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,4BAA4B;CACrC,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-postmessage-without-origin-allowlist.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-postmessage-without-origin-allowlist.d.ts.map

package/dist/rules/no-postmessage-without-origin-allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-postmessage-without-origin-allowlist.d.ts","sourceRoot":"","sources":["../../src/rules/no-postmessage-without-origin-allowlist.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAoDzD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CAwDtC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-postmessage-without-origin-allowlist.js

@@ -0,0 +1,80 @@
+import { arrayFirst } from "ts-extras";
+import { createRule } from "../_internal/create-rule.js";
+const getMemberPropertyName = (memberExpression) => {
+    if (!memberExpression.computed &&
+        memberExpression.property.type === "Identifier") {
+        return memberExpression.property.name;
+    }
+    if (memberExpression.property.type === "Literal" &&
+        typeof memberExpression.property.value === "string") {
+        return memberExpression.property.value;
+    }
+    return undefined;
+};
+const getStaticStringValue = (node) => {
+    if (node.type === "Literal" && typeof node.value === "string") {
+        return node.value;
+    }
+    if (node.type === "TemplateLiteral" && node.expressions.length === 0) {
+        return arrayFirst(node.quasis)?.value.cooked ?? undefined;
+    }
+    return undefined;
+};
+const isAllowedOriginLiteral = (origin) => {
+    const normalizedOrigin = origin.trim();
+    if (normalizedOrigin === "") {
+        return false;
+    }
+    if (normalizedOrigin.includes("*")) {
+        return false;
+    }
+    return /^https?:\/\//iu.test(normalizedOrigin);
+};
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        return {
+            CallExpression(node) {
+                if (node.callee.type !== "MemberExpression") {
+                    return;
+                }
+                if (getMemberPropertyName(node.callee) !== "postMessage") {
+                    return;
+                }
+                const [, secondArgument] = node.arguments;
+                if (secondArgument === undefined ||
+                    secondArgument.type === "SpreadElement") {
+                    return;
+                }
+                const secondArgumentValue = getStaticStringValue(secondArgument);
+                if (typeof secondArgumentValue === "string" &&
+                    isAllowedOriginLiteral(secondArgumentValue)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node: secondArgument,
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "require explicit, allowlisted postMessage target origins instead of wildcard/dynamic values.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-postmessage-without-origin-allowlist",
+        },
+        messages: {
+            default: "Use a strict, explicit allowlisted origin for postMessage targetOrigin.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-postmessage-without-origin-allowlist",
+});
+export default rule;
+/* eslint-enable @typescript-eslint/prefer-readonly-parameter-types -- Restore linting after rule implementation declarations. */
+//# sourceMappingURL=no-postmessage-without-origin-allowlist.js.map

package/dist/rules/no-postmessage-without-origin-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-postmessage-without-origin-allowlist.js","sourceRoot":"","sources":["../../src/rules/no-postmessage-without-origin-allowlist.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,MAAM,qBAAqB,GAAG,CAC1B,gBAA2C,EACzB,EAAE;IACpB,IACI,CAAC,gBAAgB,CAAC,QAAQ;QAC1B,gBAAgB,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EACjD,CAAC;QACC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC1C,CAAC;IAED,IACI,gBAAgB,CAAC,QAAQ,CAAC,IAAI,KAAK,SAAS;QAC5C,OAAO,gBAAgB,CAAC,QAAQ,CAAC,KAAK,KAAK,QAAQ,EACrD,CAAC;QACC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC;IAC3C,CAAC;IAED,OAAO,SAAS,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,oBAAoB,GAAG,CACzB,IAAyB,EACP,EAAE;IACpB,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC5D,OAAO,IAAI,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnE,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC;IAC9D,CAAC;IAED,OAAO,SAAS,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,sBAAsB,GAAG,CAAC,MAAc,EAAW,EAAE;IACvD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAEvC,IAAI,gBAAgB,KAAK,EAAE,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,IAAI,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,OAAO,gBAAgB,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;AACnD,CAAC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,OAAO;YACH,cAAc,CAAC,IAA6B;gBACxC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBAC1C,OAAO;gBACX,CAAC;gBAED,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,aAAa,EAAE,CAAC;oBACvD,OAAO;gBACX,CAAC;gBAED,MAAM,CAAC,EAAE,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBAE1C,IACI,cAAc,KAAK,SAAS;oBAC5B,cAAc,CAAC,IAAI,KAAK,eAAe,EACzC,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,MAAM,mBAAmB,GACrB,oBAAoB,CAAC,cAAc,CAAC,CAAC;gBAEzC,IACI,OAAO,mBAAmB,KAAK,QAAQ;oBACvC,sBAAsB,CAAC,mBAAmB,CAAC,EAC7C,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,cAAc;iBACvB,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,8FAA8F;YAClG,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,qGAAqG;SAC7G;QACD,QAAQ,EAAE;YACN,OAAO,EACH,yEAAyE;SAChF;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,yCAAyC;CAClD,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC;AACpB,iIAAiI"}

package/dist/rules/no-range-create-contextual-fragment.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-range-create-contextual-fragment.d.ts.map

package/dist/rules/no-range-create-contextual-fragment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-range-create-contextual-fragment.d.ts","sourceRoot":"","sources":["../../src/rules/no-range-create-contextual-fragment.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAyCzD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CA4CtC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-range-create-contextual-fragment.js

@@ -0,0 +1,64 @@
+import { createRule } from "../_internal/create-rule.js";
+import { getMemberPropertyName, getStaticStringValue, } from "../_internal/estree-utils.js";
+const isSanitizedExpression = (node) => {
+    if (node.type !== "CallExpression") {
+        return false;
+    }
+    if (node.callee.type === "Identifier") {
+        return /createhtml|sanitize|trusted/u.test(node.callee.name.toLowerCase());
+    }
+    if (node.callee.type !== "MemberExpression") {
+        return false;
+    }
+    const propertyName = getMemberPropertyName(node.callee);
+    return (typeof propertyName === "string" &&
+        /createhtml|sanitize|trusted/u.test(propertyName.toLowerCase()));
+};
+const isCreateContextualFragmentCall = (node) => {
+    if (node.callee.type !== "MemberExpression") {
+        return false;
+    }
+    return getMemberPropertyName(node.callee) === "createContextualFragment";
+};
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        return {
+            CallExpression(node) {
+                if (!isCreateContextualFragmentCall(node)) {
+                    return;
+                }
+                const [firstArgument] = node.arguments;
+                if (firstArgument === undefined ||
+                    firstArgument.type === "SpreadElement" ||
+                    getStaticStringValue(firstArgument) === "" ||
+                    isSanitizedExpression(firstArgument)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node: firstArgument,
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow Range.createContextualFragment(...) calls on unsanitized HTML input.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-range-create-contextual-fragment",
+        },
+        messages: {
+            default: "Sanitize HTML before passing it to Range.createContextualFragment().",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-range-create-contextual-fragment",
+});
+export default rule;
+/* eslint-enable @typescript-eslint/prefer-readonly-parameter-types -- Restore linting after rule implementation declarations. */
+//# sourceMappingURL=no-range-create-contextual-fragment.js.map

package/dist/rules/no-range-create-contextual-fragment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-range-create-contextual-fragment.js","sourceRoot":"","sources":["../../src/rules/no-range-create-contextual-fragment.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EACH,qBAAqB,EACrB,oBAAoB,GACvB,MAAM,8BAA8B,CAAC;AAItC,MAAM,qBAAqB,GAAG,CAAC,IAAyB,EAAW,EAAE;IACjE,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACpC,OAAO,8BAA8B,CAAC,IAAI,CACtC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CACjC,CAAC;IACN,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,MAAM,YAAY,GAAG,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAExD,OAAO,CACH,OAAO,YAAY,KAAK,QAAQ;QAChC,8BAA8B,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC,CAClE,CAAC;AACN,CAAC,CAAC;AAEF,MAAM,8BAA8B,GAAG,CACnC,IAA6B,EACtB,EAAE;IACT,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,OAAO,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,0BAA0B,CAAC;AAC7E,CAAC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,OAAO;YACH,cAAc,CAAC,IAA6B;gBACxC,IAAI,CAAC,8BAA8B,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxC,OAAO;gBACX,CAAC;gBAED,MAAM,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBAEvC,IACI,aAAa,KAAK,SAAS;oBAC3B,aAAa,CAAC,IAAI,KAAK,eAAe;oBACtC,oBAAoB,CAAC,aAAa,CAAC,KAAK,EAAE;oBAC1C,qBAAqB,CAAC,aAAa,CAAC,EACtC,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,aAAa;iBACtB,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,+EAA+E;YACnF,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,iGAAiG;SACzG;QACD,QAAQ,EAAE;YACN,OAAO,EACH,sEAAsE;SAC7E;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,qCAAqC;CAC9C,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC;AACpB,iIAAiI"}

package/dist/rules/no-script-src-data-url.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-script-src-data-url.d.ts.map

package/dist/rules/no-script-src-data-url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-script-src-data-url.d.ts","sourceRoot":"","sources":["../../src/rules/no-script-src-data-url.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AA0BzD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CAiItC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-script-src-data-url.js

@@ -0,0 +1,108 @@
+import { getFullTypeChecker } from "../_internal/ast-utils.js";
+import { createRule } from "../_internal/create-rule.js";
+import { getMemberPropertyName, getStaticJsxAttributeStringValue, getStaticStringValue, } from "../_internal/estree-utils.js";
+import { isLikelyScriptElement } from "../_internal/script-element.js";
+const isDataUrl = (value) => /^\s*data:/iu.test(value);
+const isJsxScriptElement = (node) => node.name.type === "JSXIdentifier" &&
+    node.name.name.toLowerCase() === "script";
+const getJsxAttributeName = (attributeNode) => {
+    if (attributeNode.name.type !== "JSXIdentifier") {
+        return undefined;
+    }
+    return attributeNode.name.name.toLowerCase();
+};
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        const fullTypeChecker = getFullTypeChecker(context);
+        return {
+            AssignmentExpression(node) {
+                if (node.left.type !== "MemberExpression") {
+                    return;
+                }
+                if (getMemberPropertyName(node.left) !== "src") {
+                    return;
+                }
+                const configuredValue = getStaticStringValue(node.right);
+                if (typeof configuredValue !== "string" ||
+                    !isDataUrl(configuredValue) ||
+                    !isLikelyScriptElement(node.left.object, context, fullTypeChecker)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node: node.right,
+                });
+            },
+            CallExpression(node) {
+                if (node.callee.type !== "MemberExpression") {
+                    return;
+                }
+                const methodName = getMemberPropertyName(node.callee);
+                if (methodName !== "setAttribute" &&
+                    methodName !== "setAttributeNS") {
+                    return;
+                }
+                const [firstArgument, secondArgument] = node.arguments;
+                if (firstArgument === undefined ||
+                    firstArgument.type === "SpreadElement" ||
+                    getStaticStringValue(firstArgument) !== "src" ||
+                    secondArgument === undefined ||
+                    secondArgument.type === "SpreadElement") {
+                    return;
+                }
+                const configuredValue = getStaticStringValue(secondArgument);
+                if (typeof configuredValue !== "string" ||
+                    !isDataUrl(configuredValue) ||
+                    !isLikelyScriptElement(node.callee.object, context, fullTypeChecker)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node: secondArgument,
+                });
+            },
+            JSXOpeningElement(node) {
+                if (!isJsxScriptElement(node)) {
+                    return;
+                }
+                for (const attributeNode of node.attributes) {
+                    if (attributeNode.type !== "JSXAttribute") {
+                        continue;
+                    }
+                    if (getJsxAttributeName(attributeNode) !== "src") {
+                        continue;
+                    }
+                    const staticValue = getStaticJsxAttributeStringValue(attributeNode.value);
+                    if (typeof staticValue !== "string" ||
+                        !isDataUrl(staticValue)) {
+                        continue;
+                    }
+                    context.report({
+                        messageId: "default",
+                        node: attributeNode,
+                    });
+                }
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow HTMLScriptElement src values that load executable code from data: URLs.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-script-src-data-url",
+        },
+        messages: {
+            default: "Do not load script code from a data: URL; use a reviewed external resource or module instead.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-script-src-data-url",
+});
+export default rule;
+/* eslint-enable @typescript-eslint/prefer-readonly-parameter-types -- Restore linting after rule implementation declarations. */
+//# sourceMappingURL=no-script-src-data-url.js.map

package/dist/rules/no-script-src-data-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-script-src-data-url.js","sourceRoot":"","sources":["../../src/rules/no-script-src-data-url.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EACH,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,GACvB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAIvE,MAAM,SAAS,GAAG,CAAC,KAAa,EAAW,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAExE,MAAM,kBAAkB,GAAG,CAAC,IAAgC,EAAW,EAAE,CACrE,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,eAAe;IAClC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC;AAE9C,MAAM,mBAAmB,GAAG,CACxB,aAAoC,EAClB,EAAE;IACpB,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC9C,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;AACjD,CAAC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,MAAM,eAAe,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAEpD,OAAO;YACH,oBAAoB,CAAC,IAAmC;gBACpD,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBACxC,OAAO;gBACX,CAAC;gBAED,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC;oBAC7C,OAAO;gBACX,CAAC;gBAED,MAAM,eAAe,GAAG,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAEzD,IACI,OAAO,eAAe,KAAK,QAAQ;oBACnC,CAAC,SAAS,CAAC,eAAe,CAAC;oBAC3B,CAAC,qBAAqB,CAClB,IAAI,CAAC,IAAI,CAAC,MAAM,EAChB,OAAO,EACP,eAAe,CAClB,EACH,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,IAAI,CAAC,KAAK;iBACnB,CAAC,CAAC;YACP,CAAC;YACD,cAAc,CAAC,IAA6B;gBACxC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBAC1C,OAAO;gBACX,CAAC;gBAED,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAEtD,IACI,UAAU,KAAK,cAAc;oBAC7B,UAAU,KAAK,gBAAgB,EACjC,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,MAAM,CAAC,aAAa,EAAE,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBAEvD,IACI,aAAa,KAAK,SAAS;oBAC3B,aAAa,CAAC,IAAI,KAAK,eAAe;oBACtC,oBAAoB,CAAC,aAAa,CAAC,KAAK,KAAK;oBAC7C,cAAc,KAAK,SAAS;oBAC5B,cAAc,CAAC,IAAI,KAAK,eAAe,EACzC,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,MAAM,eAAe,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;gBAE7D,IACI,OAAO,eAAe,KAAK,QAAQ;oBACnC,CAAC,SAAS,CAAC,eAAe,CAAC;oBAC3B,CAAC,qBAAqB,CAClB,IAAI,CAAC,MAAM,CAAC,MAAM,EAClB,OAAO,EACP,eAAe,CAClB,EACH,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,cAAc;iBACvB,CAAC,CAAC;YACP,CAAC;YACD,iBAAiB,CAAC,IAAgC;gBAC9C,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,OAAO;gBACX,CAAC;gBAED,KAAK,MAAM,aAAa,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC1C,IAAI,aAAa,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;wBACxC,SAAS;oBACb,CAAC;oBAED,IAAI,mBAAmB,CAAC,aAAa,CAAC,KAAK,KAAK,EAAE,CAAC;wBAC/C,SAAS;oBACb,CAAC;oBAED,MAAM,WAAW,GAAG,gCAAgC,CAChD,aAAa,CAAC,KAAK,CACtB,CAAC;oBAEF,IACI,OAAO,WAAW,KAAK,QAAQ;wBAC/B,CAAC,SAAS,CAAC,WAAW,CAAC,EACzB,CAAC;wBACC,SAAS;oBACb,CAAC;oBAED,OAAO,CAAC,MAAM,CAAC;wBACX,SAAS,EAAE,SAAS;wBACpB,IAAI,EAAE,aAAa;qBACtB,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,kFAAkF;YACtF,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,oFAAoF;SAC5F;QACD,QAAQ,EAAE;YACN,OAAO,EACH,+FAA+F;SACtG;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,wBAAwB;CACjC,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC;AACpB,iIAAiI"}

package/dist/rules/no-script-text.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-script-text.d.ts.map

package/dist/rules/no-script-text.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-script-text.d.ts","sourceRoot":"","sources":["../../src/rules/no-script-text.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAczD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CAuDtC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-script-text.js

@@ -0,0 +1,52 @@
+import { getFullTypeChecker } from "../_internal/ast-utils.js";
+import { createRule } from "../_internal/create-rule.js";
+import { getMemberPropertyName, getStaticStringValue, } from "../_internal/estree-utils.js";
+import { isLikelyScriptElement } from "../_internal/script-element.js";
+const isScriptTextPropertyName = (propertyName) => propertyName === "innerText" ||
+    propertyName === "text" ||
+    propertyName === "textContent";
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        const fullTypeChecker = getFullTypeChecker(context);
+        return {
+            AssignmentExpression(node) {
+                if (node.left.type !== "MemberExpression") {
+                    return;
+                }
+                if (!isScriptTextPropertyName(getMemberPropertyName(node.left))) {
+                    return;
+                }
+                if (getStaticStringValue(node.right) === "") {
+                    return;
+                }
+                if (!isLikelyScriptElement(node.left.object, context, fullTypeChecker)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node: node.right,
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow assigning executable code through HTMLScriptElement text, textContent, or innerText sinks.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-script-text",
+        },
+        messages: {
+            default: "Do not inject executable code through script text sinks; load a reviewed script resource or module instead.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-script-text",
+});
+export default rule;
+/* eslint-enable @typescript-eslint/prefer-readonly-parameter-types -- Restore linting after rule implementation declarations. */
+//# sourceMappingURL=no-script-text.js.map

package/dist/rules/no-script-text.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-script-text.js","sourceRoot":"","sources":["../../src/rules/no-script-text.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EACH,qBAAqB,EACrB,oBAAoB,GACvB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAIvE,MAAM,wBAAwB,GAAG,CAAC,YAAgC,EAAW,EAAE,CAC3E,YAAY,KAAK,WAAW;IAC5B,YAAY,KAAK,MAAM;IACvB,YAAY,KAAK,aAAa,CAAC;AAEnC,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,MAAM,eAAe,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAEpD,OAAO;YACH,oBAAoB,CAAC,IAAmC;gBACpD,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBACxC,OAAO;gBACX,CAAC;gBAED,IACI,CAAC,wBAAwB,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC7D,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC;oBAC1C,OAAO;gBACX,CAAC;gBAED,IACI,CAAC,qBAAqB,CAClB,IAAI,CAAC,IAAI,CAAC,MAAM,EAChB,OAAO,EACP,eAAe,CAClB,EACH,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,IAAI,CAAC,KAAK;iBACnB,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,qGAAqG;YACzG,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,4EAA4E;SACpF;QACD,QAAQ,EAAE;YACN,OAAO,EACH,6GAA6G;SACpH;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,gBAAgB;CACzB,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC;AACpB,iIAAiI"}

package/dist/rules/no-service-worker-unsafe-script-url.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-service-worker-unsafe-script-url.d.ts.map

package/dist/rules/no-service-worker-unsafe-script-url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-service-worker-unsafe-script-url.d.ts","sourceRoot":"","sources":["../../src/rules/no-service-worker-unsafe-script-url.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AA4BzD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CA2CtC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-service-worker-unsafe-script-url.js

@@ -0,0 +1,52 @@
+import { createRule } from "../_internal/create-rule.js";
+import { getStaticStringValue } from "../_internal/estree-utils.js";
+import { isBlobUrl, isDataUrl, isServiceWorkerRegisterCall, isUrlCreateObjectUrlCall, } from "../_internal/worker-code-loading.js";
+const isJavaScriptUrl = (value) => /^\s*javascript\s*:/iu.test(value);
+const isUnsafeServiceWorkerScriptUrl = (expression) => {
+    const configuredValue = getStaticStringValue(expression);
+    return ((typeof configuredValue === "string" &&
+        (isBlobUrl(configuredValue) ||
+            isDataUrl(configuredValue) ||
+            isJavaScriptUrl(configuredValue))) ||
+        isUrlCreateObjectUrlCall(expression));
+};
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        return {
+            CallExpression(node) {
+                if (!isServiceWorkerRegisterCall(node.callee)) {
+                    return;
+                }
+                const [firstArgument] = node.arguments;
+                if (firstArgument === undefined ||
+                    firstArgument.type === "SpreadElement" ||
+                    !isUnsafeServiceWorkerScriptUrl(firstArgument)) {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node: firstArgument,
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow unsafe service worker script URLs such as data:, blob:, javascript:, and direct URL.createObjectURL(...) registrations.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-service-worker-unsafe-script-url",
+        },
+        messages: {
+            default: "Do not register a service worker from data:, blob:, javascript:, or URL.createObjectURL(...) script URLs.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-service-worker-unsafe-script-url",
+});
+export default rule;
+//# sourceMappingURL=no-service-worker-unsafe-script-url.js.map

package/dist/rules/no-service-worker-unsafe-script-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-service-worker-unsafe-script-url.js","sourceRoot":"","sources":["../../src/rules/no-service-worker-unsafe-script-url.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EACH,SAAS,EACT,SAAS,EACT,2BAA2B,EAC3B,wBAAwB,GAC3B,MAAM,qCAAqC,CAAC;AAI7C,MAAM,eAAe,GAAG,CAAC,KAAa,EAAW,EAAE,CAC/C,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAEvC,MAAM,8BAA8B,GAAG,CACnC,UAAyC,EAClC,EAAE;IACT,MAAM,eAAe,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAEzD,OAAO,CACH,CAAC,OAAO,eAAe,KAAK,QAAQ;QAChC,CAAC,SAAS,CAAC,eAAe,CAAC;YACvB,SAAS,CAAC,eAAe,CAAC;YAC1B,eAAe,CAAC,eAAe,CAAC,CAAC,CAAC;QAC1C,wBAAwB,CAAC,UAAU,CAAC,CACvC,CAAC;AACN,CAAC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,OAAO;YACH,cAAc,CAAC,IAA6B;gBACxC,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC5C,OAAO;gBACX,CAAC;gBAED,MAAM,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBAEvC,IACI,aAAa,KAAK,SAAS;oBAC3B,aAAa,CAAC,IAAI,KAAK,eAAe;oBACtC,CAAC,8BAA8B,CAAC,aAAa,CAAC,EAChD,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI,EAAE,aAAa;iBACtB,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,kIAAkI;YACtI,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,iGAAiG;SACzG;QACD,QAAQ,EAAE;YACN,OAAO,EACH,2GAA2G;SAClH;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,qCAAqC;CAC9C,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-set-html-unsafe.d.ts

@@ -0,0 +1,5 @@
+import { createRule } from "../_internal/create-rule.js";
+/** Rule implementation. */
+declare const rule: ReturnType<typeof createRule>;
+export default rule;
+//# sourceMappingURL=no-set-html-unsafe.d.ts.map

package/dist/rules/no-set-html-unsafe.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-set-html-unsafe.d.ts","sourceRoot":"","sources":["../../src/rules/no-set-html-unsafe.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAgBzD,2BAA2B;AAC3B,QAAA,MAAM,IAAI,EAAE,UAAU,CAAC,OAAO,UAAU,CA2CtC,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/dist/rules/no-set-html-unsafe.js

@@ -0,0 +1,48 @@
+import { createRule } from "../_internal/create-rule.js";
+import { getMemberPropertyName, getStaticStringValue, } from "../_internal/estree-utils.js";
+const isSetHtmlUnsafeCall = (node) => {
+    if (node.callee.type !== "MemberExpression") {
+        return false;
+    }
+    return getMemberPropertyName(node.callee) === "setHTMLUnsafe";
+};
+/** Rule implementation. */
+const rule = createRule({
+    create(context) {
+        return {
+            CallExpression(node) {
+                if (!isSetHtmlUnsafeCall(node)) {
+                    return;
+                }
+                const [firstArgument] = node.arguments;
+                if (firstArgument !== undefined &&
+                    firstArgument.type !== "SpreadElement" &&
+                    getStaticStringValue(firstArgument) === "") {
+                    return;
+                }
+                context.report({
+                    messageId: "default",
+                    node,
+                });
+            },
+        };
+    },
+    defaultOptions: [],
+    meta: {
+        deprecated: false,
+        docs: {
+            description: "disallow setHTMLUnsafe() calls that bypass the safer HTML Sanitizer API path.",
+            frozen: false,
+            recommended: false,
+            url: "https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-set-html-unsafe",
+        },
+        messages: {
+            default: "Do not call setHTMLUnsafe(); use setHTML() or build DOM nodes safely instead.",
+        },
+        schema: [],
+        type: "problem",
+    },
+    name: "no-set-html-unsafe",
+});
+export default rule;
+//# sourceMappingURL=no-set-html-unsafe.js.map

package/dist/rules/no-set-html-unsafe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-set-html-unsafe.js","sourceRoot":"","sources":["../../src/rules/no-set-html-unsafe.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EACH,qBAAqB,EACrB,oBAAoB,GACvB,MAAM,8BAA8B,CAAC;AAItC,MAAM,mBAAmB,GAAG,CAAC,IAA6B,EAAW,EAAE;IACnE,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,OAAO,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,eAAe,CAAC;AAClE,CAAC,CAAC;AAEF,2BAA2B;AAC3B,MAAM,IAAI,GAAkC,UAAU,CAAwB;IAC1E,MAAM,CAAC,OAAO;QACV,OAAO;YACH,cAAc,CAAC,IAA6B;gBACxC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,OAAO;gBACX,CAAC;gBAED,MAAM,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBAEvC,IACI,aAAa,KAAK,SAAS;oBAC3B,aAAa,CAAC,IAAI,KAAK,eAAe;oBACtC,oBAAoB,CAAC,aAAa,CAAC,KAAK,EAAE,EAC5C,CAAC;oBACC,OAAO;gBACX,CAAC;gBAED,OAAO,CAAC,MAAM,CAAC;oBACX,SAAS,EAAE,SAAS;oBACpB,IAAI;iBACP,CAAC,CAAC;YACP,CAAC;SACJ,CAAC;IACN,CAAC;IACD,cAAc,EAAE,EAAE;IAClB,IAAI,EAAE;QACF,UAAU,EAAE,KAAK;QACjB,IAAI,EAAE;YACF,WAAW,EACP,+EAA+E;YACnF,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,KAAK;YAClB,GAAG,EAAE,gFAAgF;SACxF;QACD,QAAQ,EAAE;YACN,OAAO,EACH,+EAA+E;SACtF;QACD,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,SAAS;KAClB;IACD,IAAI,EAAE,oBAAoB;CAC7B,CAAC,CAAC;AAEH,eAAe,IAAI,CAAC"}