paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-21 15:09:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

linter: Add checks for sloppy use of .html().

Browse Source 
Since jQuery's .html() can be a source of security bugs, we add a new
lint rule that tries to catch common problematic uses.
This commit is contained in:
Tim Abbott
2018-03-22 14:04:24 -07:00
parent 5f0f492205
commit feef35bf25
3 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
static/js/reactions.js
View File

@@ -187,7 +187,7 @@ exports.get_add_reaction_button = function (message_id) {
exports.set_reaction_count = function (reaction, count) { exports.set_reaction_count = function (reaction, count) {
var count_element = reaction.find('.message_reaction_count'); var count_element = reaction.find('.message_reaction_count');
count_element.html(count); count_element.text(count);
}; };
exports.add_reaction = function (event) { exports.add_reaction = function (event) {

2
static/js/stream_edit.js
View File

@@ -69,7 +69,7 @@ exports.show_sub_settings = function (sub) {
var $settings = $(".subscription_settings[data-stream-id='" + sub.stream_id + "']"); var $settings = $(".subscription_settings[data-stream-id='" + sub.stream_id + "']");
if ($settings.find(".email-address").val().length === 0) { if ($settings.find(".email-address").val().length === 0) {
// Rerender stream email address, if not. // Rerender stream email address, if not.
$settings.find(".email-address").html(sub.email_address); $settings.find(".email-address").text(sub.email_address);
$settings.find(".stream-email-box").show(); $settings.find(".stream-email-box").show();
} }
$settings.find(".regular_subscription_settings").addClass('in'); $settings.find(".regular_subscription_settings").addClass('in');

5
tools/linter_lib/custom_check.py
View File

@@ -188,6 +188,11 @@ def build_custom_checkers(by_lang):
'description': 'Do not concatenate i18n strings'}, 'description': 'Do not concatenate i18n strings'},
{'pattern': '\+.*i18n\.t\(.+\)', {'pattern': '\+.*i18n\.t\(.+\)',
'description': 'Do not concatenate i18n strings'}, 'description': 'Do not concatenate i18n strings'},
{'pattern': '[.]html[(]',
'exclude_pattern': '[.]html[(]("|\'|templates|html|message.content|sub.rendered_description|i18n.t|rendered_|$|[)]|error_text|[$]error|[$][(]"<p>"[)])',
'exclude': ['static/js/portico', 'static/js/lightbox.js', 'static/js/ui_report.js',
'frontend_tests/'],
'description': 'Setting HTML content with jQuery .html() can lead to XSS security bugs. Consider .text() or using rendered_foo as a variable name if content comes from handlebars and thus is already sanitized.'},
{'pattern': '["\']json/', {'pattern': '["\']json/',
'description': 'Relative URL for JSON route not supported by i18n'}, 'description': 'Relative URL for JSON route not supported by i18n'},
# This rule is constructed with + to avoid triggering on itself # This rule is constructed with + to avoid triggering on itself