Rule proposal: `.replace` or `.replaceAll` with non-literal replacement · sindresorhus/eslint-plugin-unicorn#2309

(3 comments) (4 reactions) (0 assignees)JavaScript (5,022 stars) (468 forks)user submission

help wantednew rule

説明

Description

One might think that a function like this generates safe HTML because the argument is HTML-escaped.

function imageLink(url) {
  const IMAGE_TEMPLATE = '<img src="{url}">';
  return IMAGE_TEMPLATE.replace('{url}', htmlEscape(url));
}

But in fact there’s a very obscure cross-site scripting vulnerability here, abusing the $` replacement sequence interpreted by String.prototype.replace and .replaceAll!

imageLink("$` onerror=alert(1) ")
//=> '<img src="<img src=" onerror=alert(1) ">'

To protect against this mistake, it would be nice to have an ESLint rule that forbids use of .replace and .replaceAll where the second argument isn’t a string literal or a function.

Fail

IMAGE_TEMPLATE.replace('{url}', htmlEscape(url))

Pass

IMAGE_TEMPLATE.replace('{url}', () => htmlEscape(url))

IMAGE_TEMPLATE.replace('{url}', "https://example.com")

Additional Info

No response

コントリビューターガイド

技術スタック: javascriptnodejs
領域: toolingdeveloper experiencesecurity
Issue 種別: feature
難度: 3
推定時間: half day
活動状況: fresh
明確さ: mostly clear
前提条件: Basic JavaScriptESLint rule development basics
初心者向け度: 65
調査方針: This issue proposes a new ESLint rule. To implement, study existing rules in the eslint plugin unicorn repository, particularly rules that analyze String.prototype.replace calls. Look at the rule structure in the 'rules' directory and test files in 'test'. The rule should check if the second argument to .replace or .replaceAll is a string literal or a function. The maintainers may have additional guidance in comments; review the discussion to ensure alignment.