Skip to content

Commit 1ca9c26

Browse files
anderskedg2s
andersk
authored and
edg2s
committed
no-append-html: Catch .add(html)
Fixes #308. Signed-off-by: Anders Kaseorg <[email protected]>
1 parent 4a5db0b commit 1ca9c26

File tree

3 files changed

+9
-2
lines changed

3 files changed

+9
-2
lines changed

docs/rules/no-append-html.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
# no-append-html
44

5-
Disallows using [`.append`](https://api.jquery.com/append/)/[`.prepend`](https://api.jquery.com/prepend/)/[`.before`](https://api.jquery.com/before/)/[`.after`](https://api.jquery.com/after/)/[`.replaceWith`](https://api.jquery.com/replaceWith/) to inject HTML, in order to prevent possible XSS bugs.
5+
Disallows using [`.append`](https://api.jquery.com/append/)/[`.prepend`](https://api.jquery.com/prepend/)/[`.before`](https://api.jquery.com/before/)/[`.after`](https://api.jquery.com/after/)/[`.replaceWith`](https://api.jquery.com/replaceWith/)/[`.add`](https://api.jquery.com/add/) to inject HTML, in order to prevent possible XSS bugs.
66

77
## Rule details
88

@@ -13,6 +13,7 @@ $div.prepend( '<xss>' );
1313
$div.before( '<xss>' );
1414
$div.after( '<xss>' );
1515
$div.replaceWith( '<xss>' );
16+
$els.add( '<xss>' );
1617
$div.append( code + '<xss>' );
1718
$div.append( test ? $el : '<xss>' );
1819
$div.append( $el, '<xss>' );
@@ -28,6 +29,7 @@ $div.prepend( $el );
2829
$div.before( $el );
2930
$div.after( $el );
3031
$div.replaceWith( $el );
32+
$els.add( $el );
3133
$div.append( this.$el );
3234
$div.append( this.foo.$el );
3335
$div.append( $el1, $el2 );

src/rules/no-append-html.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
'use strict';
22

33
const utils = require( '../utils.js' );
4-
const methods = [ 'append', 'prepend', 'before', 'after', 'replaceWith' ];
4+
const methods = [ 'append', 'prepend', 'before', 'after', 'replaceWith', 'add' ];
55

66
function alljQueryOrEmpty( context, node ) {
77
if ( node.type === 'ConditionalExpression' ) {

tests/rules/no-append-html.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ ruleTester.run( 'no-append-html', rule, {
1313
'$div.before($el)',
1414
'$div.after($el)',
1515
'$div.replaceWith($el)',
16+
'$els.add($el)',
1617
'$div.append(this.$el)',
1718
'$div.append(this.foo.$el)',
1819
'$div.append($el1, $el2)',
@@ -50,6 +51,10 @@ ruleTester.run( 'no-append-html', rule, {
5051
code: '$div.replaceWith("<xss>")',
5152
errors: [ error ]
5253
},
54+
{
55+
code: '$els.add("<xss>")',
56+
errors: [ error ]
57+
},
5358
{
5459
code: '$div.append(code + "<xss>")',
5560
errors: [ error ]

0 commit comments

Comments
 (0)