Commit c98c01e

committed

feat: Add ignorePattern to no-v-html

This allows configuring the rule such that certain variables are allowed in v-html=. For instance, we would like to allowlist variables named "*Html" (as in the test), where the name already marks them as containing safe HTML that’s expected to be used with v-html=.

1 parent 6f1fae3 commit c98c01eCopy full SHA for c98c01e

File tree

3 files changed

+34

-1

lines changed

.changeset
- purple-lights-invite.md
lib/rules
- no-v-html.js
tests/lib/rules
- no-v-html.js

3 files changed

+34

-1

lines changed

`‎.changeset/purple-lights-invite.md`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+---`
	`2`	`+'eslint-plugin-vue': minor`
	`3`	`+---`
	`4`	`+`
	`5`	+Added `ignorePattern` option to [`vue/no-v-html`](https://eslint.vuejs.org/rules/no-v-html.html)

`‎lib/rules/no-v-html.js`

Lines changed: 18 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`*/`
`5`	`5`	`'use strict'`
`6`	`6`	`const utils = require('../utils')`
	`7`	`+const { toRegExp } = require('../utils/regexp')`
`7`	`8`
`8`	`9`	`module.exports = {`
`9`	`10`	`meta: {`
`@@ -14,16 +15,32 @@ module.exports = {`
`14`	`15`	`url: 'https://eslint.vuejs.org/rules/no-v-html.html'`
`15`	`16`	`},`
`16`	`17`	`fixable: null,`
`17`		`- schema: [],`
	`18`	`+ schema: [{`
	`19`	`+ type: 'object',`
	`20`	`+ properties: {`
	`21`	`+ ignorePattern: {`
	`22`	`+ type: 'string'`
	`23`	`+ }`
	`24`	`+ }`
	`25`	`+ }],`
`18`	`26`	`messages: {`
`19`	`27`	`unexpected: "'v-html' directive can lead to XSS attack."`
`20`	`28`	`}`
`21`	`29`	`},`
`22`	`30`	`/** @param {RuleContext} context */`
`23`	`31`	`create(context) {`
	`32`	`+ const options = context.options[0]`
	`33`	`+ let ignoredVarMatcher = null`
	`34`	`+ if (options?.ignorePattern) {`
	`35`	`+ ignoredVarMatcher = toRegExp(options.ignorePattern, { remove: 'g' })`
	`36`	`+ }`
	`37`	`+`
`24`	`38`	`return utils.defineTemplateBodyVisitor(context, {`
`25`	`39`	`/** @param {VDirective} node */`
`26`	`40`	`"VAttribute[directive=true][key.name.name='html']"(node) {`
	`41`	`+ if (ignoredVarMatcher !== null && node.value.expression.type === 'Identifier' && ignoredVarMatcher.test(node.value.expression.name)) {`
	`42`	`+ return`
	`43`	`+ }`
`27`	`44`	`context.report({`
`28`	`45`	`node,`
`29`	`46`	`loc: node.loc,`

`‎tests/lib/rules/no-v-html.js`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,11 @@ ruleTester.run('no-v-html', rule, {`
`28`	`28`	`{`
`29`	`29`	`filename: 'test.vue',`
`30`	`30`	`code: '<template><div v-if="foo" v-bind="bar"></div></template>'`
	`31`	`+ },`
	`32`	`+ {`
	`33`	`+ filename: 'test.vue',`
	`34`	`+ code: '<template><div v-html="knownHtml"></div></template>',`
	`35`	`+ options: [{ignorePattern: '/^(?:html\|.+Html)$/'}]`
`31`	`36`	`}`
`32`	`37`	`],`
`33`	`38`	`invalid: [`
`@@ -45,6 +50,12 @@ ruleTester.run('no-v-html', rule, {`
`45`	`50`	`filename: 'test.vue',`
`46`	`51`	`code: '<template><section v-html/></template>',`
`47`	`52`	`errors: ["'v-html' directive can lead to XSS attack."]`
	`53`	`+ },`
	`54`	`+ {`
	`55`	`+ filename: 'test.vue',`
	`56`	`+ code: '<template><div v-html="unsafeString"></div></template>',`
	`57`	`+ options: [{ignorePattern: '^(?:html\|.+Html)$'}],`
	`58`	`+ errors: ["'v-html' directive can lead to XSS attack."]`
`48`	`59`	`}`
`49`	`60`	`]`
`50`	`61`	`})`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit c98c01e

File tree

3 files changed

3 files changed

`‎.changeset/purple-lights-invite.md`

`‎lib/rules/no-v-html.js`

`‎tests/lib/rules/no-v-html.js`

0 commit comments