New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule proposal: .replace
or .replaceAll
with non-literal replacement
#2309
Comments
What should happen to |
It would be disallowed. If |
Accepted |
Description
One might think that a function like this generates safe HTML because the argument is HTML-escaped.
But in fact there’s a very obscure cross-site scripting vulnerability here, abusing the
$`
replacement sequence interpreted byString.prototype.replace
and.replaceAll
!To protect against this mistake, it would be nice to have an ESLint rule that forbids use of
.replace
and.replaceAll
where the second argument isn’t a string literal or a function.Fail
Pass
Additional Info
No response
The text was updated successfully, but these errors were encountered: