Skip to content

⭐️New: Add vue/no-v-html rule #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 14, 2018
Merged

⭐️New: Add vue/no-v-html rule #435

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0cf3a79
New: Add `vue/no-v-html` rule
n-zeplo Mar 18, 2018
4ca876a
Update category to undefined as categories are defined in major releases
n-zeplo Jul 12, 2018
c328cfe
Update no-v-html category
michalsnik Jul 14, 2018
4812690
Merge branch 'master' into pr/435
michalsnik Jul 14, 2018
df3a8ab
Update no-v-html rule link
michalsnik Jul 14, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions docs/rules/no-v-html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# disallow use of v-html to prevent XSS attack (no-v-html)

This rule reports use of `v-html` directive in order to reduce the risk of injecting potentially unsafe / unescaped html into the browser leading to Cross Side Scripting (XSS) attacks.

## :book: Rule Details

This rule reports all uses of `v-html` to help prevent XSS attacks.

This rule does not check syntax errors in directives because it's checked by no-parsing-error rule.

:-1: Examples of **incorrect** code for this rule:

```html
<template>
<div v-html="someHTML"></div>
</template>
```

:+1: Examples of **correct** code for this rule:

```html
<template>
<div>{{someHTML}}</div>
</template>
```

## :wrench: Options

Nothing.

## When Not To Use It

If you are certain the content passed `to v-html` is sanitized HTML you can disable this rule.

## Further Reading

* (XSS in Vue.js)[https://blog.sqreen.io/xss-in-vue-js/]
33 changes: 33 additions & 0 deletions lib/rules/no-v-html.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
/**
* @fileoverview Restrict or warn use of v-html to prevent XSS attack
* @author Nathan Zeplowitz
*/
'use strict'
const utils = require('../utils')

// ------------------------------------------------------------------------------
// Rule Definitionutilu
// ------------------------------------------------------------------------------

module.exports = {
meta: {
docs: {
description: 'disallow use of v-html to prevent XSS attack',
category: 'security enhancement',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use undefined as category. We're going to assign categories in major releases, as it results in automatic generation of sharable configs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the PR with this change.

url: 'https://github.com/vuejs/eslint-plugin-vue/blob/v4.3.0/docs/rules/no-v-html.md'
},
fixable: null,
schema: []
},
create (context) {
return utils.defineTemplateBodyVisitor(context, {
"VAttribute[directive=true][key.name='html']" (node) {
context.report({
node,
loc: node.loc,
message: "'v-html' directive can lead to XSS attack."
})
}
})
}
}
58 changes: 58 additions & 0 deletions tests/lib/rules/no-v-html.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
/**
* @fileoverview Restrict or warn use of v-html to prevent XSS attack
* @author Nathan Zeplowitz
*/
'use strict'

// ------------------------------------------------------------------------------
// Requirements
// ------------------------------------------------------------------------------

const RuleTester = require('eslint').RuleTester
const rule = require('../../../lib/rules/no-v-html')

// ------------------------------------------------------------------------------
// Tests
// ------------------------------------------------------------------------------
const ruleTester = new RuleTester({
parser: 'vue-eslint-parser',
parserOptions: { ecmaVersion: 2015 }
})

ruleTester.run('no-v-html', rule, {
valid: [
{
filename: 'test.vue',
code: ''
},
{
filename: 'test.vue',
code: '<template></template>'
},
{
filename: 'test.vue',
code: '<template><div v-if="foo"></div></template>'
},
{
filename: 'test.vue',
code: '<template><div v-if="foo" v-bind="bar"></div></template>'
}
],
invalid: [
{
filename: 'test.vue',
code: '<template><div v-html="foo"></div></template>',
errors: ["'v-html' directive can lead to XSS attack."]
},
{
filename: 'test.vue',
code: '<template><ul v-html:aaa="userHTML"></ul></template>',
errors: ["'v-html' directive can lead to XSS attack."]
},
{
filename: 'test.vue',
code: '<template><section v-html/></template>',
errors: ["'v-html' directive can lead to XSS attack."]
}
]
})