eslint-plugin-unicorn icon indicating copy to clipboard operation
eslint-plugin-unicorn copied to clipboard

Published 20 hours ago verified publisher icon sindresorhus

Expand `prefer-dom-node-text-content` against `.innerHTML` or implement `no-inner-html` rule

Open darkred opened this issue 4 years ago • 2 comments

My suggestion is to either expand the prefer-dom-node-text-content rule (source) to also enforce .textContent over .innerHTML, or implement a new no-inner-html rule.

The motive for this is mainly because, in extension development such of Refined GitHub, the use innerHTML should always be avoided, otherwise it becomes flagged by the extension stores.

This came up in this PR comment https://github.com/sindresorhus/refined-github/pull/4520#discussion_r659362368 As described in the comment above, such a rule, no-inner-html, is already implemented in the eslint-plugin-lwc plugin. However, that rule disallows the use of 'innerHTML' in ALL its forms. This includes innerHTML, outputHTML and insertAdjacentHTML

Concluding, I was wondering whether it could be beneficial for XO, to either expand the existing prefer-dom-node-text-content rule against innerHTML, or incorporate that rule no-inner-html as a whole.

Fail

foo.innerHTML = '🦄';
// and maybe also
foo.outerHTML = '🦄';
foo.insertAdjacentHTML = '🦄';

Pass

foo.textContent = '🦄';

darkred avatar Jul 07 '21 20:07 darkred

Maybe we could make a more general no-unsafe-dom rule.

For example, with Trusted Types, .innerHTML is not dangerous.

Alternatively, a prefer-trusted-types rule.

sindresorhus avatar Jul 08 '21 09:07 sindresorhus

Related developments: https://web.dev/sanitizer/

❌ el.innerHTML = html;
✅ el.setHTML(html)

fregante avatar Jul 03 '22 06:07 fregante