1 | var __extends = (this && this.__extends) || function (d, b) {
|
2 | for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p];
|
3 | function __() { this.constructor = d; }
|
4 | __.prototype = b.prototype;
|
5 | d.prototype = new __();
|
6 | };
|
7 | var SyntaxKind = require('./utils/SyntaxKind');
|
8 | var ErrorTolerantWalker = require('./utils/ErrorTolerantWalker');
|
9 | var Rule = (function (_super) {
|
10 | __extends(Rule, _super);
|
11 | function Rule() {
|
12 | _super.apply(this, arguments);
|
13 | }
|
14 | Rule.prototype.apply = function (sourceFile) {
|
15 | var documentRegistry = ts.createDocumentRegistry();
|
16 | var languageServiceHost = Lint.createLanguageServiceHost(sourceFile.fileName, sourceFile.getFullText());
|
17 | var languageService = ts.createLanguageService(languageServiceHost, documentRegistry);
|
18 | return this.applyWithWalker(new NoDangerousHtmlWalker(sourceFile, this.getOptions(), languageService));
|
19 | };
|
20 | Rule.getExceptions = function (options) {
|
21 | if (options.ruleArguments instanceof Array) {
|
22 | return options.ruleArguments[0];
|
23 | }
|
24 | if (options instanceof Array) {
|
25 | return options;
|
26 | }
|
27 | return null;
|
28 | };
|
29 | return Rule;
|
30 | })(Lint.Rules.AbstractRule);
|
31 | exports.Rule = Rule;
|
32 | var NoDangerousHtmlWalker = (function (_super) {
|
33 | __extends(NoDangerousHtmlWalker, _super);
|
34 | function NoDangerousHtmlWalker(sourceFile, options, languageServices) {
|
35 | _super.call(this, sourceFile, options);
|
36 | this.languageServices = languageServices;
|
37 | this.currentMethodName = '<unknown>';
|
38 | }
|
39 | NoDangerousHtmlWalker.prototype.visitMethodDeclaration = function (node) {
|
40 | this.currentMethodName = node.name.text;
|
41 | _super.prototype.visitMethodDeclaration.call(this, node);
|
42 | this.currentMethodName = '<unknown>';
|
43 | };
|
44 | NoDangerousHtmlWalker.prototype.visitPropertyAssignment = function (node) {
|
45 | _super.prototype.visitPropertyAssignment.call(this, node);
|
46 | var keyNode = node.name;
|
47 | if (keyNode.kind === SyntaxKind.current().Identifier) {
|
48 | if (keyNode.text === 'dangerouslySetInnerHTML') {
|
49 | if (!this.isSuppressed(this.currentMethodName)) {
|
50 | var failureString = 'Invalid call to dangerouslySetInnerHTML in method "' + this.currentMethodName + '"\n' +
|
51 | ' of source file ' + this.getSourceFile().fileName + '"\n' +
|
52 | ' Do *NOT* add a suppression for this warning. If you absolutely must use this API then you need\n' +
|
53 | ' to review the usage with a security expert/QE representative. If they decide that this is an\n' +
|
54 | ' acceptable usage then add the exception to xss_exceptions.json';
|
55 | var position = node.getStart();
|
56 | var failure = this.createFailure(position, keyNode.text.length, failureString);
|
57 | this.addFailure(failure);
|
58 | }
|
59 | }
|
60 | }
|
61 | _super.prototype.visitPropertyAssignment.call(this, node);
|
62 | };
|
63 | NoDangerousHtmlWalker.prototype.isSuppressed = function (methodName) {
|
64 | var _this = this;
|
65 | var exceptions = Rule.getExceptions(this.getOptions());
|
66 | if (exceptions == null || exceptions.length === 0) {
|
67 | return false;
|
68 | }
|
69 | var found = false;
|
70 | exceptions.forEach(function (exception) {
|
71 | if (exception.file === _this.getSourceFile().fileName) {
|
72 | if (exception.method === methodName) {
|
73 | if (exception.comment != null) {
|
74 | found = true;
|
75 | }
|
76 | }
|
77 | }
|
78 | });
|
79 | return found;
|
80 | };
|
81 | return NoDangerousHtmlWalker;
|
82 | })(ErrorTolerantWalker);
|
83 |
|
\ | No newline at end of file |