-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathno-angularjs-enable-svg.js
48 lines (44 loc) · 1.36 KB
/
no-angularjs-enable-svg.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
/**
* @fileoverview Rule to disallow enabling SVG in AngularJS apps
* @author Antonios Katopodis
*/
"use strict";
module.exports = {
meta: {
type: "suggestion",
fixable: "code",
schema: [],
docs: {
category: "Security",
description:
"Calls to $sanitizeProvider.enableSvg(true) increase attack surface of the application by enabling SVG support in AngularJS sanitizer and need to be reviewed.",
url: "https://github.com/microsoft/eslint-plugin-sdl/blob/master/docs/rules/no-angularjs-enable-svg.md"
},
messages: {
doNotEnableSVG: "Do not enable SVG support in AngularJS"
}
},
create: function (context) {
return {
"CallExpression[callee.object.name='$sanitizeProvider'][callee.property.name='enableSvg']"(
node
) {
// Known false positives
if (
(node.arguments != undefined && node.arguments.length != 1) ||
(node.arguments[0].type == "Literal" &&
(node.arguments[0].value == "false" || node.arguments[0].value == "0"))
) {
return;
}
context.report({
node: node,
messageId: "doNotEnableSVG"
});
}
};
}
};
// TODO: Add rules for $sanitizeProvider.addValidElements() and $sanitizeProvider.addValidAttrs()