Milos Djermanovic
Milos Djermanovic
New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks
> ```js > var accessLevel = "user"; > if (accessLevel != "user{U+202E} {U+2066}// Check if admin{U+2069} {U+2066}") { > console.log("You are an admin"); > } > > // Replacing {U+NNNN}...
New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks
> Homoglyphs can be somewhat tricky to determine, though perhaps the Unicode confusables database can be a good reference. > > Regarding homoglyphs: I think it’s not just identifiers that...
New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks
> I'm not sure the homoglyph or zero-width-joiner vector deserves a new rule. The `no-shadow` rule already exists and has the same spirit. It could be extended to match identifiers...
New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks
> disallow bidirectional control characters and homoglyphs in source code to mitigate CVE-2021-42574 and CVE-2021-42694 @joyeecheung can you elaborate more on the proposal about homoglyphs? Is the proposal to entirely...
> The autofix will change the `let` to a `const`. This fixes the symptom and further hides the true bug. This indeed looks like a case where autofix for a...
I'm not in favor of removing the autofix feature from the `prefer-const` rule. I would be in favor of adding a configuration option to disable autofixing for specified rules. We...
> Option A: > > * Allow the rule/autofix metadata to declare itself as "potentially dangerous" > * Have the `prefer-const` autofix declare itself as potentially dangerous. > * Provide...
Per https://github.com/estree/estree/pull/224, this will not be included in ESTree. Acorn update: https://github.com/acornjs/acorn/commit/b2ecf7a378097a95c9244209cd5e4aff748c2b2c (released in Acorn v8.8.0) It doesn't seem that this requires any changes in `eslint-visitor-keys` and `eslint-scope`.
ESLint already supports hashbang comments, regardless of parser and ecmaVersion, by [replacing `#!` with `//`](https://github.com/eslint/eslint/blob/2aadc93272f1ab7f40246c6b18c4056660f2b3a2/lib/linter/linter.js#L779) before parsing to make it appear as a line comment, and then [updating that comment's...
@amareshsm PR is still missing the tests update (https://github.com/eslint/eslint/pull/16096#pullrequestreview-1028524419)