Files
openmaxio-object-browser/semgrep.yaml

66 lines
1.9 KiB
YAML
Raw Normal View History

rules:
- id: js-func-encode-uri
patterns:
- pattern: encodeURI($X)
2024-06-05 23:48:27 +02:00
message: Use encodeURIComponent() instead of encodeURI()
languages:
- typescript
- javascript
severity: WARNING
2024-06-05 23:48:27 +02:00
fix: encodeURIComponent($X)
- id: js-dangerous-func-document-write
patterns:
- pattern: document.write(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-assign-document-write
patterns:
- pattern: |
$X1 = document
...
$X1.write(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-document-writeln
patterns:
- pattern: document.writeln(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: js-dangerous-func-assign-document-writeln
patterns:
- pattern: |
$X1 = document
...
$X1.writeln(...)
message: Don't render html directly into the page, use React components instead
languages:
- typescript
- javascript
severity: WARNING
- id: react-dangerouslysetinnerhtml
languages:
- typescript
- javascript
message: "Setting HTML from code is risky because its easy to inadvertently expose your users to a cross-site scripting (XSS) attack."
pattern-either:
- pattern: |
<$X dangerouslySetInnerHTML=... />
- pattern: |
{dangerouslySetInnerHTML: ...}
- pattern: |
$X1.innerHTML=...
- pattern: |
$X1.outerHTML=...
- pattern: |
$X1.insertAdjacentHTML=...
severity: WARNING