Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replacing escape function by encodeURI #13

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/rules/no-location-href-assign.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Checks for all assignments to location.href

This rule ensures that you are calling escape logic before assigning to location.href property.
This rule ensures that you are calling encodeURI logic before assigning to location.href property.

## Rule Details

Expand All @@ -26,13 +26,13 @@ location.href = getNextUrl();
The following patterns are not errors:

```js
// this rule ensures that you are calling escape function before location.href assignment
// 'escape' name can be configured via options.
location.href = escape('some evil url');
// this rule ensures that you are calling encodeURI function before location.href assignment
// 'encodeURI' name can be configured via options.
location.href = encodeURI('some evil url');

```
The concrete implementation of escape is up to you and how you will decide to escape location.href value. This rule
only ensures that you are handling assignment in a proper way (by wrapping the right part with the escape function).
only ensures that you are handling assignment in a proper way (by wrapping the right part with the encodeURI function).

### Options

Expand All @@ -43,7 +43,7 @@ only ensures that you are handling assignment in a proper way (by wrapping the r
```

### escapeFunc (optional)
Function name that is used to sanitize user input. 'escape' is used by default.
Function name that is used to sanitize user input. 'encodeURI' is used by default.


## When Not To Use It
Expand Down
2 changes: 1 addition & 1 deletion lib/rules/no-location-href-assign.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = {
},
create: function( context ) {
var escapeFunc = context.options[ 0 ] &&
context.options[ 0 ].escapeFunc || 'escape';
context.options[ 0 ].escapeFunc || 'encodeURI';

return {
AssignmentExpression: function( node ) {
Expand Down
22 changes: 11 additions & 11 deletions tests/lib/rules/no-location-href-assign.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ ruleTester.run( 'no-location-href-assign', rule, {
'someLink.href = \'www\'',
'href = \'wwww\'',
{
code: 'location.href = escape(\'www\')',
options: [ { escapeFunc: 'escape' } ]
code: 'location.href = encodeURI(\'www\')',
options: [ { escapeFunc: 'encodeURI' } ]
},
{
code: 'location.href = DOMPurify.sanitize(\'www\')',
Expand All @@ -26,27 +26,27 @@ ruleTester.run( 'no-location-href-assign', rule, {

invalid: [
{
code: 'location.href = wrapper(escape(\'www\'))',
code: 'location.href = wrapper(encodeURI(\'www\'))',
options: [ { escapeFunc: 'escapeXSS' } ],
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escapeXSS(wrapper(escape(\'www\'))) ' +
' Please use escapeXSS(wrapper(encodeURI(\'www\'))) ' +
'as a wrapper for escaping'
} ]
},
{
code: 'location.href = wrapper(\'www\')',
options: [ { escapeFunc: 'escape' } ],
options: [ { escapeFunc: 'encodeURI' } ],
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escape(wrapper(\'www\')) as a wrapper for escaping'
' Please use encodeURI(wrapper(\'www\')) as a wrapper for escaping'
} ]
},
{
code: 'location.href = \'some location\'',
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escape(\'some location\') as a wrapper for escaping'
' Please use encodeURI(\'some location\') as a wrapper for escaping'
} ]
},
{
Expand All @@ -61,28 +61,28 @@ ruleTester.run( 'no-location-href-assign', rule, {
code: 'window.location.href = \'some location\'',
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escape(\'some location\') as a wrapper for escaping'
' Please use encodeURI(\'some location\') as a wrapper for escaping'
} ]
},
{
code: 'document.location.href = \'some location\'',
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escape(\'some location\') as a wrapper for escaping'
' Please use encodeURI(\'some location\') as a wrapper for escaping'
} ]
},
{
code: 'window.document.location.href = \'some location\'',
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escape(\'some location\') as a wrapper for escaping'
' Please use encodeURI(\'some location\') as a wrapper for escaping'
} ]
},
{
code: 'window.document.location.href = getNextUrl()',
errors: [ {
message: 'Dangerous location.href assignment can lead to XSS.' +
' Please use escape(getNextUrl()) as a wrapper for escaping'
' Please use encodeURI(getNextUrl()) as a wrapper for escaping'
} ]
}
]
Expand Down