VIP-Coding-Standards icon indicating copy to clipboard operation
VIP-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon Automattic

HTMLExecutingFunctionsSniff: Add more unsafe functions to $HTMLExecutingFunctions

Open rebeccahum opened this issue 4 years ago • 0 comments
trafficstars

Describe the solution you'd like

We should add to the $HTMLExecutingFunctions property the following functions:

  • insertAdjacentHTML
  • outerHTML

What code should be reported as a violation?

(function(){
	divElem.outerHTML = "<div>Hello " + userControlledVal + "</div>"; // Warning.
	divElem.insertAdjacentHTML("","<b>"+ userControlledVal + "</b>"); // Warning.
})();

Additional context

http://blog.blueclosure.com/2017/09/

rebeccahum avatar May 25 '21 21:05 rebeccahum