35 lines
909 B
JavaScript
35 lines
909 B
JavaScript
/**
|
|
* @fileoverview Restrict or warn use of v-html to prevent XSS attack
|
|
* @author Nathan Zeplowitz
|
|
*/
|
|
'use strict'
|
|
const utils = require('../utils')
|
|
|
|
// ------------------------------------------------------------------------------
|
|
// Rule Definition
|
|
// ------------------------------------------------------------------------------
|
|
|
|
module.exports = {
|
|
meta: {
|
|
type: 'suggestion',
|
|
docs: {
|
|
description: 'disallow use of v-html to prevent XSS attack',
|
|
category: 'recommended',
|
|
url: 'https://eslint.vuejs.org/rules/no-v-html.html'
|
|
},
|
|
fixable: null,
|
|
schema: []
|
|
},
|
|
create (context) {
|
|
return utils.defineTemplateBodyVisitor(context, {
|
|
"VAttribute[directive=true][key.name.name='html']" (node) {
|
|
context.report({
|
|
node,
|
|
loc: node.loc,
|
|
message: "'v-html' directive can lead to XSS attack."
|
|
})
|
|
}
|
|
})
|
|
}
|
|
}
|