no-v-html.js 884 B

1234567891011121314151617181920212223242526272829303132333435
  1. /**
  2. * @fileoverview Restrict or warn use of v-html to prevent XSS attack
  3. * @author Nathan Zeplowitz
  4. */
  5. 'use strict'
  6. const utils = require('../utils')
  7. module.exports = {
  8. meta: {
  9. type: 'suggestion',
  10. docs: {
  11. description: 'disallow use of v-html to prevent XSS attack',
  12. categories: ['vue3-recommended', 'vue2-recommended'],
  13. url: 'https://eslint.vuejs.org/rules/no-v-html.html'
  14. },
  15. fixable: null,
  16. schema: [],
  17. messages: {
  18. unexpected: "'v-html' directive can lead to XSS attack."
  19. }
  20. },
  21. /** @param {RuleContext} context */
  22. create(context) {
  23. return utils.defineTemplateBodyVisitor(context, {
  24. /** @param {VDirective} node */
  25. "VAttribute[directive=true][key.name.name='html']"(node) {
  26. context.report({
  27. node,
  28. loc: node.loc,
  29. messageId: 'unexpected'
  30. })
  31. }
  32. })
  33. }
  34. }