linter: Add checks for sloppy use of .html().

Since jQuery's .html() can be a source of security bugs, we add a new lint rule that tries to catch common problematic uses.
2025-11-21 15:09:34 +00:00 · 2018-03-22 14:04:24 -07:00
parent 5f0f492205
commit feef35bf25
3 changed files with 7 additions and 2 deletions
--- a/static/js/reactions.js
+++ b/static/js/reactions.js
@@ -187,7 +187,7 @@ exports.get_add_reaction_button = function (message_id) {

 exports.set_reaction_count = function (reaction, count) {
    var count_element = reaction.find('.message_reaction_count');
-    count_element.html(count);
+    count_element.text(count);
 };

 exports.add_reaction = function (event) {
--- a/static/js/stream_edit.js
+++ b/static/js/stream_edit.js
@@ -69,7 +69,7 @@ exports.show_sub_settings = function (sub) {
    var $settings = $(".subscription_settings[data-stream-id='" + sub.stream_id + "']");
    if ($settings.find(".email-address").val().length === 0) {
        // Rerender stream email address, if not.
-        $settings.find(".email-address").html(sub.email_address);
+        $settings.find(".email-address").text(sub.email_address);
        $settings.find(".stream-email-box").show();
    }
    $settings.find(".regular_subscription_settings").addClass('in');
--- a/tools/linter_lib/custom_check.py
+++ b/tools/linter_lib/custom_check.py
@@ -188,6 +188,11 @@ def build_custom_checkers(by_lang):
         'description': 'Do not concatenate i18n strings'},
        {'pattern': '\+.*i18n\.t\(.+\)',
         'description': 'Do not concatenate i18n strings'},
+        {'pattern': '[.]html[(]',
+         'exclude_pattern': '[.]html[(]("|\'|templates|html|message.content|sub.rendered_description|i18n.t|rendered_|$|[)]|error_text|[$]error|[$][(]"<p>"[)])',
+         'exclude': ['static/js/portico', 'static/js/lightbox.js', 'static/js/ui_report.js',
+                     'frontend_tests/'],
+         'description': 'Setting HTML content with jQuery .html() can lead to XSS security bugs.  Consider .text() or using rendered_foo as a variable name if content comes from handlebars and thus is already sanitized.'},
        {'pattern': '["\']json/',
         'description': 'Relative URL for JSON route not supported by i18n'},
        # This rule is constructed with + to avoid triggering on itself