VIP-Coding-Standards icon indicating copy to clipboard operation
VIP-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon Automattic

Improve innerHTML when sanitized with `DOMPurify.sanitize()`

Open BrookeDot opened this issue 6 years ago • 0 comments

What problem would the enhancement address for VIP?

Currently, the sniff for innerHTML flags any usage of it, even when it's being escaped.

Describe the solution you'd like

It would be nice to not flag for usage of DOMPurify.sanitize() in it since it is being escaped properly.

What code should be reported as a violation?

element.innerHTML = /*custom markup here*/ ;

Passing in a second parameter into DOMPurify.sanitize() will need manual inspection to ensure that the white/blacklists aren't being modified:

element.innerHTML = DOMPurify.sanitize( /*custom markup/*, { /*custom settings here*/ });

What could should not be reported as a violation?

Only passing in one parameter, we shouldn't need to flag it:

element.innerHTML = DOMPurify.sanitize(/*custom markup here*/ );

Related #267 regarding DOMPurifyand React's dangerouslySetInnerHTML Source: https://github.com/Automattic/VIP-Coding-Standards/blob/master/WordPressVIPMinimum/Sniffs/JS/InnerHTMLSniff.php

BrookeDot avatar Feb 12 '19 22:02 BrookeDot