| 1 | var __extends = (this && this.__extends) || function (d, b) {
|
| 2 | for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p];
|
| 3 | function __() { this.constructor = d; }
|
| 4 | __.prototype = b.prototype;
|
| 5 | d.prototype = new __();
|
| 6 | };
|
| 7 | var SyntaxKind = require('./utils/SyntaxKind');
|
| 8 | var ErrorTolerantWalker = require('./utils/ErrorTolerantWalker');
|
| 9 | var Rule = (function (_super) {
|
| 10 | __extends(Rule, _super);
|
| 11 | function Rule() {
|
| 12 | _super.apply(this, arguments);
|
| 13 | }
|
| 14 | Rule.prototype.apply = function (sourceFile) {
|
| 15 | var documentRegistry = ts.createDocumentRegistry();
|
| 16 | var languageServiceHost = Lint.createLanguageServiceHost(sourceFile.fileName, sourceFile.getFullText());
|
| 17 | var languageService = ts.createLanguageService(languageServiceHost, documentRegistry);
|
| 18 | return this.applyWithWalker(new NoDangerousHtmlWalker(sourceFile, this.getOptions(), languageService));
|
| 19 | };
|
| 20 | Rule.getExceptions = function (options) {
|
| 21 | if (options.ruleArguments instanceof Array) {
|
| 22 | return options.ruleArguments[0];
|
| 23 | }
|
| 24 | if (options instanceof Array) {
|
| 25 | return options;
|
| 26 | }
|
| 27 | return null;
|
| 28 | };
|
| 29 | return Rule;
|
| 30 | })(Lint.Rules.AbstractRule);
|
| 31 | exports.Rule = Rule;
|
| 32 | var NoDangerousHtmlWalker = (function (_super) {
|
| 33 | __extends(NoDangerousHtmlWalker, _super);
|
| 34 | function NoDangerousHtmlWalker(sourceFile, options, languageServices) {
|
| 35 | _super.call(this, sourceFile, options);
|
| 36 | this.languageServices = languageServices;
|
| 37 | this.currentMethodName = '<unknown>';
|
| 38 | }
|
| 39 | NoDangerousHtmlWalker.prototype.visitMethodDeclaration = function (node) {
|
| 40 | this.currentMethodName = node.name.text;
|
| 41 | _super.prototype.visitMethodDeclaration.call(this, node);
|
| 42 | this.currentMethodName = '<unknown>';
|
| 43 | };
|
| 44 | NoDangerousHtmlWalker.prototype.visitPropertyAssignment = function (node) {
|
| 45 | _super.prototype.visitPropertyAssignment.call(this, node);
|
| 46 | var keyNode = node.name;
|
| 47 | if (keyNode.kind === SyntaxKind.current().Identifier) {
|
| 48 | if (keyNode.text === 'dangerouslySetInnerHTML') {
|
| 49 | if (!this.isSuppressed(this.currentMethodName)) {
|
| 50 | var failureString = 'Invalid call to dangerouslySetInnerHTML in method "' + this.currentMethodName + '"\n' +
|
| 51 | ' of source file ' + this.getSourceFile().fileName + '"\n' +
|
| 52 | ' Do *NOT* add a suppression for this warning. If you absolutely must use this API then you need\n' +
|
| 53 | ' to review the usage with a security expert/QE representative. If they decide that this is an\n' +
|
| 54 | ' acceptable usage then add the exception to xss_exceptions.json';
|
| 55 | var position = node.getStart();
|
| 56 | var failure = this.createFailure(position, keyNode.text.length, failureString);
|
| 57 | this.addFailure(failure);
|
| 58 | }
|
| 59 | }
|
| 60 | }
|
| 61 | _super.prototype.visitPropertyAssignment.call(this, node);
|
| 62 | };
|
| 63 | NoDangerousHtmlWalker.prototype.isSuppressed = function (methodName) {
|
| 64 | var _this = this;
|
| 65 | var exceptions = Rule.getExceptions(this.getOptions());
|
| 66 | if (exceptions == null || exceptions.length === 0) {
|
| 67 | return false;
|
| 68 | }
|
| 69 | var found = false;
|
| 70 | exceptions.forEach(function (exception) {
|
| 71 | if (exception.file === _this.getSourceFile().fileName) {
|
| 72 | if (exception.method === methodName) {
|
| 73 | if (exception.comment != null) {
|
| 74 | found = true;
|
| 75 | }
|
| 76 | }
|
| 77 | }
|
| 78 | });
|
| 79 | return found;
|
| 80 | };
|
| 81 | return NoDangerousHtmlWalker;
|
| 82 | })(ErrorTolerantWalker);
|
| 83 | |
| \ | No newline at end of file |