or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

index.mdmethod-rule.mdplugin-configuration.mdproperty-rule.mdrule-helper.md
tile.json

index.mddocs/

ESLint Plugin No Unsanitized

ESLint Plugin No Unsanitized is a security-focused ESLint plugin designed to detect and prevent unsafe coding practices that could lead to security vulnerabilities. It provides comprehensive rules to disallow unsanitized code patterns, specifically targeting dangerous assignments to DOM properties and unsafe method calls that can introduce XSS vulnerabilities.

Package Information

  • Package Name: eslint-plugin-no-unsanitized
  • Package Type: npm
  • Language: JavaScript
  • Installation: npm install --save-dev eslint-plugin-no-unsanitized

Core Imports

import nounsanitized from "eslint-plugin-no-unsanitized";

For CommonJS:

const nounsanitized = require("eslint-plugin-no-unsanitized");

Basic Usage

Flat Config (ESLint 9.0+)

import nounsanitized from "eslint-plugin-no-unsanitized";

export default [nounsanitized.configs.recommended];

Or with custom configuration:

import nounsanitized from "eslint-plugin-no-unsanitized";

export default [
    {
        files: ["**/*.js"],
        plugins: { "no-unsanitized": nounsanitized },
        rules: {
            "no-unsanitized/method": "error",
            "no-unsanitized/property": "error",
        },
    },
];

Legacy Config (eslintrc)

{
    "extends": ["plugin:no-unsanitized/recommended-legacy"]
}

Or with custom configuration:

{
    "plugins": ["no-unsanitized"],
    "rules": {
        "no-unsanitized/method": "error",
        "no-unsanitized/property": "error"
    }
}

Architecture

The plugin is built around several key components:

  • Main Plugin Object: Exports rules, configurations, and metadata for ESLint integration
  • Rule System: Two core rules (method and property) for different types of unsafe patterns
  • Rule Helper: Shared validation logic for expression analysis, variable tracing, and security checking
  • Configuration System: Predefined configs for easy setup with extensive customization options
  • Security Validation Engine: Comprehensive expression analysis with support for tagged templates and method calls

Capabilities

Property Rule

Prevents unsafe assignment to DOM properties like innerHTML and outerHTML that can lead to XSS vulnerabilities.

// Plugin exports
const plugin = {
    rules: {
        property: PropertyRule
    }
};

// Rule configuration schema
interface PropertyRuleOptions {
    escape?: {
        taggedTemplates?: string[];
        methods?: string[];
    };
    variableTracing?: boolean;
}

Property Rule

Method Rule

Prevents unsafe method calls like document.write(), insertAdjacentHTML(), and dynamic import() that can introduce security vulnerabilities.

// Plugin exports  
const plugin = {
    rules: {
        method: MethodRule
    }
};

// Rule configuration schema
interface MethodRuleOptions {
    defaultDisable?: boolean;
    escape?: {
        taggedTemplates?: string[];
        methods?: string[];
    };
    objectMatches?: string[];
    properties?: number[];
    variableTracing?: boolean;
}

Method Rule

Plugin Configuration

Pre-configured rule sets and plugin metadata for easy ESLint integration.

interface ESLintPlugin {
    meta: {
        name: string;
        version: string;
    };
    rules: {
        property: ESLintRule;
        method: ESLintRule;
    };
    configs: {
        recommended: ESLintConfig;
        "recommended-legacy": ESLintConfig;
        DOM: ESLintConfig; // deprecated
    };
}

interface ESLintConfig {
    plugins: string[] | Record<string, ESLintPlugin>;
    rules: Record<string, string | [string, any]>;
}

Plugin Configuration

Rule Helper

Core validation logic shared between rules, providing expression analysis, variable tracing, and security validation functionality.

// Rule Helper instance creation
const ruleHelper = new RuleHelper(context: ESLintRuleContext, defaultRuleChecks: object);

// Core validation methods
interface RuleHelper {
    allowedExpression(expression: any, escapeObject: EscapeConfiguration, details: ValidationDetails): boolean;
    isAllowedIdentifier(expression: IdentifierNode, escapeObject: EscapeConfiguration, details: ValidationDetails): boolean;
    checkMethod(node: CallExpressionNode): void;
    checkProperty(node: AssignmentExpressionNode): void;
}

Rule Helper

Types

// Core rule function type
interface ESLintRule {
    meta: {
        type: "problem" | "suggestion" | "layout";
        docs: {
            description: string;
            category: string;
            url: string;
        };
        schema: JSONSchema[];
    };
    create(context: ESLintRuleContext): ESLintRuleVisitor;
}

interface ESLintRuleContext {
    options: any[];
    sourceCode?: {
        getScope(node: any): Scope;
        getText(node: any): string;
    };
    getScope?(node: any): Scope;
    report(node: any, message: string): void;
}

interface ESLintRuleVisitor {
    [key: string]: (node: any) => void;
}

// Security validation types
interface EscapeConfiguration {
    taggedTemplates?: string[];
    methods?: string[];
}

interface RuleCheck {
    properties?: number[];
    objectMatches?: string[];
    escape?: EscapeConfiguration;
}

// AST Node types for method calls
interface CallExpressionNode {
    type: "CallExpression";
    callee: any;
    arguments: any[];
}

interface ImportExpressionNode {
    type: "ImportExpression";
    source: any;
}

interface AssignmentExpressionNode {
    type: "AssignmentExpression";
    left: {
        property: {
            name: string;
        };
    };
    right: any;
    operator: string;
}

interface IdentifierNode {
    type: "Identifier";
    name: string;
}

// Validation details for error reporting
interface ValidationDetails {
    message?: string;
}