Fix issues with xss linters
Improve accuracy of javascript-escape linter: Previously this would match on FOOescape() and FOO.escape calls, but neither are the global escape function we are worried about. The regex probably isn't 100% accurate; there may be still false positives (javascript allows a large range of characters in identifiers, some of which may not be covered by [\w.$]). The main thing is to avoid false negatives here though - this will definitely catch any use of `escape()` or `window.escape()`. Also remove javascript-interpolate lint - this was deemed unecessary. StringUtils.interpolate is not in fact safe (it does no html escaping), so the results of this lint are misleading.
Showing
- common/lib/xmodule/xmodule/js/src/capa/schematic.js 5 additions, 5 deletionscommon/lib/xmodule/xmodule/js/src/capa/schematic.js
- common/lib/xmodule/xmodule/js/src/sequence/display.js 0 additions, 1 deletioncommon/lib/xmodule/xmodule/js/src/sequence/display.js
- common/lib/xmodule/xmodule/js/src/video/06_video_progress_slider.js 0 additions, 1 deletion.../xmodule/xmodule/js/src/video/06_video_progress_slider.js
- lms/djangoapps/teams/static/teams/js/views/edit_team_members.js 2 additions, 2 deletions...angoapps/teams/static/teams/js/views/edit_team_members.js
- scripts/xsslint/tests/test_linters.py 10 additions, 18 deletionsscripts/xsslint/tests/test_linters.py
- scripts/xsslint/xsslint/linters.py 4 additions, 25 deletionsscripts/xsslint/xsslint/linters.py
- scripts/xsslint_thresholds.json 0 additions, 1 deletionscripts/xsslint_thresholds.json
Loading
Please register or sign in to comment