Merge pull request #620 from mozfreddyb/no-unsanitized

introduce eslint for DOM XSS linting
zaproxy · Oct 10, 2019 · 7cccd13 · 7cccd13
2 parents 8229c6f + 8bcfa3a
commit 7cccd13
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/package.json b/package.json
@@ -51,8 +51,25 @@
       "src/test/js/**",
       "src/webpack/**"
     ],
+    "plugins": ["no-unsanitized"],
     "rules": {
       "no-negated-condition": "warn",
+      "no-unsanitized/method": ["error",
+        {
+          "escape": {
+            "methods": [
+              "DOMPurify.sanitize"
+            ]
+          }
+        }],
+      "no-unsanitized/property": ["error",
+        {
+          "escape": {
+            "methods": [
+              "DOMPurify.sanitize"
+            ]
+          }
+        }],
       "no-unused-vars": "warn",
       "prefer-destructuring": "warn",
       "unicorn/no-for-loop": "warn",
@@ -80,6 +97,7 @@
   "devDependencies": {
     "ava": "^2.4.0",
     "css-loader": "^3.2.0",
+    "eslint-plugin-no-unsanitized": "^3.0.2",
     "lint-staged": "^9.4.2",
     "vue-loader": "^15.7.1",
     "vue-style-loader": "^4.1.2",

diff --git a/src/main/zapHomeFiles/hud/display.js b/src/main/zapHomeFiles/hud/display.js
@@ -1113,6 +1113,8 @@ navigator.serviceWorker.addEventListener('message', event => {
 
 			channel.port1.addEventListener('message', event => {
 				// Open window and inject the HTML report
+				// FIXME: remove after #620
+				// eslint-disable-next-line no-unsanitized/property
 				window.open('').document.body.innerHTML = event.data.response;
 			});