dan/oxc
1
0
Fork 0
mirror of https://github.com/danbulant/oxc synced 2026-05-24 12:21:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(linter): no_script_url (#2761)

Browse source 
Rule detail: https://eslint.org/docs/latest/rules/no-script-url

---------

Co-authored-by: j.buendia <j.buendia>
This commit is contained in:
Jose 2024-03-20 02:09:34 +01:00 committed by GitHub
parent 99dcd00bf3
commit 291dc0597c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 132 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
crates/oxc_linter/src/rules.rs
View file

@ -91,6 +91,7 @@ mod eslint {
pub mod no_redeclare; pub mod no_redeclare;
pub mod no_regex_spaces; pub mod no_regex_spaces;
pub mod no_return_await; pub mod no_return_await;
pub mod no_script_url;
pub mod no_self_assign; pub mod no_self_assign;
pub mod no_self_compare; pub mod no_self_compare;
pub mod no_setter_return; pub mod no_setter_return;
@ -416,6 +417,7 @@ oxc_macros::declare_all_lint_rules! {
eslint::no_redeclare, eslint::no_redeclare,
eslint::no_regex_spaces, eslint::no_regex_spaces,
eslint::no_return_await, eslint::no_return_await,
eslint::no_script_url,
eslint::no_self_assign, eslint::no_self_assign,
eslint::no_self_compare, eslint::no_self_compare,
eslint::no_setter_return, eslint::no_setter_return,

99
crates/oxc_linter/src/rules/eslint/no_script_url.rs Normal file
View file

@ -0,0 +1,99 @@
use oxc_ast::AstKind;
use oxc_diagnostics::{
miette::{self, Diagnostic},
thiserror::Error,
};
use oxc_macros::declare_oxc_lint;
use oxc_span::Span;
use crate::{context::LintContext, rule::Rule, AstNode};
#[derive(Debug, Error, Diagnostic)]
#[error("eslint(no-script-url): Script URL is a form of eval")]
#[diagnostic(severity(warning), help("Disallow `javascript:` urls"))]
struct NoScriptUrlDiagnostic(#[label] pub Span);
#[derive(Debug, Default, Clone)]
pub struct NoScriptUrl;
declare_oxc_lint!(
/// ### What it does
/// Disallow javascript: urls
///
/// ### Why is this bad?
/// Using javascript: URLs is considered by some as a form of eval. Code passed in javascript: URLs has to be parsed and evaluated by the browser in the same way that eval is processed.
///
/// ### Example
/// ```javascript
/// /*eslint no-script-url: "error"*/
///
/// location.href = "javascript:void(0)";
///
/// location.href = `javascript:void(0)`;
/// ```
NoScriptUrl,
style
);
impl Rule for NoScriptUrl {
fn run<'a>(&self, node: &AstNode<'a>, ctx: &LintContext<'a>) {
match node.kind() {
AstKind::StringLiteral(literal)
if literal.value.to_lowercase().starts_with("javascript:") =>
{
emit_diagnostic(ctx, literal.span);
}
AstKind::TemplateLiteral(literal)
if !is_tagged_template_expression(ctx, node, literal.span) =>
{
if literal.quasis.len() == 1
&& literal
.quasis
.first()
.unwrap()
.value
.raw
.to_lowercase()
.starts_with("javascript:")
{
emit_diagnostic(ctx, literal.span);
}
}
_ => {}
}
}
}
fn emit_diagnostic(ctx: &LintContext, span: Span) {
ctx.diagnostic(NoScriptUrlDiagnostic(Span::new(span.start, span.end)));
}
fn is_tagged_template_expression(ctx: &LintContext, node: &AstNode, literal_span: Span) -> bool {
matches!(
ctx.nodes().parent_kind(node.id()),
Some(AstKind::TaggedTemplateExpression(expr)) if expr.quasi.span == literal_span
)
}
#[test]
fn test() {
use crate::tester::Tester;
let pass = vec![
"var a = 'Hello World!';",
"var a = 10;",
"var url = 'xjavascript:'",
"var url = `xjavascript:`",
"var url = `${foo}javascript:`",
"var a = foo`javaScript:`;",
];
let fail = vec![
"var a = 'javascript:void(0);';",
"var a = 'javascript:';",
"var a = `javascript:`;",
"var a = `JavaScript:`;",
];
Tester::new(NoScriptUrl::NAME, pass, fail).test_and_snapshot();
}

31
crates/oxc_linter/src/snapshots/no_script_url.snap Normal file
View file

@ -0,0 +1,31 @@
---
source: crates/oxc_linter/src/tester.rs
expression: no_script_url
---
⚠ eslint(no-script-url): Script URL is a form of eval
╭─[no_script_url.tsx:1:9]
1 │ var a = 'javascript:void(0);';
· ─────────────────────
╰────
help: Disallow `javascript:` urls
⚠ eslint(no-script-url): Script URL is a form of eval
╭─[no_script_url.tsx:1:9]
1 │ var a = 'javascript:';
· ─────────────
╰────
help: Disallow `javascript:` urls
⚠ eslint(no-script-url): Script URL is a form of eval
╭─[no_script_url.tsx:1:9]
1 │ var a = `javascript:`;
· ─────────────
╰────
help: Disallow `javascript:` urls
⚠ eslint(no-script-url): Script URL is a form of eval
╭─[no_script_url.tsx:1:9]
1 │ var a = `JavaScript:`;
· ─────────────
╰────
help: Disallow `javascript:` urls