Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no-inner-html rule seems overzealous (flags getter usage) #136

Open
geoffswift opened this issue Nov 17, 2023 · 0 comments
Open

no-inner-html rule seems overzealous (flags getter usage) #136

geoffswift opened this issue Nov 17, 2023 · 0 comments

Comments

@geoffswift
Copy link

geoffswift commented Nov 17, 2023
edited
Loading

We prefer to generate our HTML by building up a DOM node tree, and reading the outerHTML property, and thus we can ensure that we are securely / appropriately escaping all HTML entities etc. The no-inner-html rule flags up instances where I am reading the outerHTML property on a DOM node though, and this seems to be overzealous.

Is the rule being helpful in this example?

const anchor = document.createElement('a'),
	textNode = document.createTextNode(Name);

anchor.setAttribute('target', target);
anchor.href = href;

// eslint-disable-next-line @lwc/lwc/no-inner-html
return anchor.outerHTML;

I propose that the rule would ideally be amended to flag up when the innerHTML / outerHTML (etc) property is being set. It would seem to be the case that when the setter is used, that there is potential risk.

N.B. The documentation in no-inner-html.md appears to be erroneous and refers to outputHTML rather than outerHTML as follows:

Disallow the use of 'innerHTML' in all its forms. This includes innerHTML, outputHTML, and insertAdjacentHTML.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@geoffswift