Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(linter): implement jsx-no-script-url #6995

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(linter): implement jsx-no-script-url #6995

wants to merge 7 commits into from
+369 −0

Conversation

radu2147
Copy link
Contributor

@graphite-app Graphite App
Copy link

graphite-app bot commented Oct 29, 2024

Your org has enabled the Graphite merge queue for merging into main

Add the label “0-merge” to the PR and Graphite will automatically add it to the merge queue when it’s ready to merge. Or use the label “hotfix” to add to the merge queue as a hot fix.

You must have a Graphite account and log in to Graphite in order to use the merge queue. Sign up using this link.

@github-actions github-actions bot added the A-linter Area - Linter label Oct 29, 2024
@github-actions github-actions bot added the C-enhancement Category - New feature or request label Oct 29, 2024
@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Oct 29, 2024
edited
Loading

CodSpeed Performance Report

Merging #6995 will not alter performance

Comparing radu2147:feat/no-jsx-script-url (47ccbcd) with main (12a6952)

Summary

✅ 30 untouched benchmarks

DonIsaac
DonIsaac reviewed Oct 29, 2024
View reviewed changes
crates/oxc_linter/src/rules/react/jsx_no_script_url.rs Outdated

fn jsx_no_script_url_diagnostic(span: Span) -> OxcDiagnostic {
// See <https://oxc.rs/docs/contribute/linter/adding-rules.html#diagnostics> for details
OxcDiagnostic::warn("A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML, try using dangerouslySetInnerHTML instead.")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move all sentences but the first to a help message

crates/oxc_linter/src/rules/react/jsx_no_script_url.rs Outdated
///
/// ### Why is this bad?
///
/// In React 16.9 any URLs starting with javascript: scheme log a warning. React considers the pattern as a dangerous attack surface, see details. In a future major release, React will throw an error if it encounters a javascript: URL.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What details?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy paste issue, will change

@radu2147 radu2147 marked this pull request as ready for review October 29, 2024 13:40
IWANABETHATGUY
IWANABETHATGUY reviewed Oct 30, 2024
View reviewed changes
crates/oxc_linter/src/rules/react/jsx_no_script_url.rs Outdated
return;
};
if prop_value.as_string_literal().is_some_and(|val| {
let re = Regex::new(IS_JAVA_SCRIPT_PROTOCOL).unwrap();
Copy link
Contributor

@IWANABETHATGUY IWANABETHATGUY Oct 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should use lazy_static to wrap it to make sure it is only initialized once. ref

oxc/crates/oxc_linter/src/rules/eslint/no_nonoctal_decimal_escape.rs

Lines 87 to 90 in a786dc2

lazy_static! {
static ref NONOCTAL_REGEX: Regex =
Regex::new(r"(?:[^\\]|(?P<previousEscape>\\.))*?(?P<decimalEscape>\\[89])").unwrap();
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here is the reason, https://github.com/rust-lang/regex?tab=readme-ov-file#usage-avoid-compiling-the-same-regex-in-a-loop, I recommended using lazy_static since it is widely used in linter crate

@radu2147 radu2147 force-pushed the feat/no-jsx-script-url branch 2 times, most recently from 3e32476 to a0ddd86 Compare October 30, 2024 12:09
radu2147
radu2147 commented Oct 30, 2024
View reviewed changes
crates/oxc_linter/src/rules/react/jsx_no_script_url.rs
),
),
(
r#"<Foo other="javascript:"></Foo>"#,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, I added an extra test to pass, as it checks for the link attributes not to have the javascript: value.(It seems that the original implementation of the rule does that, it just doesn't have a test case for it). I can remove it though if deemed as not necessary.

@radu2147 radu2147 mentioned this pull request Nov 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DonIsaac DonIsaac Awaiting requested review from DonIsaac

@IWANABETHATGUY IWANABETHATGUY Awaiting requested review from IWANABETHATGUY

Assignees
No one assigned
Labels
A-linter Area - Linter C-enhancement Category - New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@radu2147 @IWANABETHATGUY @DonIsaac