├── .eslintrc
├── .gitignore
├── README.md
└── package.json


/.eslintrc:
--------------------------------------------------------------------------------
 1 | { "ecmaFeatures" : {
 2 |     "modules" : true
 3 |   },
 4 |   "env" : {
 5 |     "browser" : true,
 6 |     "es6" : true /** all es6 features except modules */
 7 |   },
 8 |   "plugins" : [
 9 |     "scanjs-rules",
10 |     "no-unsafe-innerhtml"
11 |   ],
12 |   "rules" : {
13 |     /** useful rules from eslint **/
14 | 
15 |     /** no-unsafe-innerhtml rule **/
16 |     "no-unsafe-innerhtml/no-unsafe-innerhtml" : 2,
17 | 
18 |     /** ScanJS rules **/
19 |     "scanjs-rules/accidental_assignment": 1,
20 |     "scanjs-rules/assign_to_hostname" : 1,
21 |     "scanjs-rules/assign_to_href" : 1,
22 |     "scanjs-rules/assign_to_location" : 1,
23 |     "scanjs-rules/assign_to_onmessage" : 1,
24 |     "scanjs-rules/assign_to_pathname" : 1,
25 |     "scanjs-rules/assign_to_protocol" : 1,
26 |     "scanjs-rules/assign_to_search" : 1,
27 |     "scanjs-rules/assign_to_src" : 1,
28 |     "scanjs-rules/call_Function" : 1,
29 |     "scanjs-rules/call_addEventListener" : 1,
30 |     "scanjs-rules/call_addEventListener_deviceproximity" : 1,
31 |     "scanjs-rules/call_addEventListener_message" : 1,
32 |     "scanjs-rules/call_connect" : 1,
33 |     "scanjs-rules/call_eval" : 1,
34 |     "scanjs-rules/call_execScript" : 1,
35 |     "scanjs-rules/call_hide" : 1,
36 |     "scanjs-rules/call_open_remote=true" : 1,
37 |     "scanjs-rules/call_parseFromString" : 1,
38 |     "scanjs-rules/call_setImmediate" : 1,
39 |     "scanjs-rules/call_setInterval" : 1,
40 |     "scanjs-rules/call_setTimeout" : 1,
41 |     "scanjs-rules/identifier_indexedDB" : 1,
42 |     "scanjs-rules/identifier_localStorage" : 1,
43 |     "scanjs-rules/identifier_sessionStorage" : 1,
44 |     "scanjs-rules/new_Function" : 1,
45 |     "scanjs-rules/property_addIdleObserver" : 1,
46 |     "scanjs-rules/property_createContextualFragment" : 1,
47 |     "scanjs-rules/property_crypto": 1,
48 |     "scanjs-rules/property_geolocation" : 1,
49 |     "scanjs-rules/property_getUserMedia" : 1,
50 |     "scanjs-rules/property_indexedDB" : 1,
51 |     "scanjs-rules/property_localStorage" : 1,
52 |     "scanjs-rules/property_mgmt" : 1,
53 |     "scanjs-rules/property_sessionStorage" : 1
54 |   }
55 | }
56 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | .idea
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # This repository has been archived as read-only
 2 | We recommend looking at https://github.com/mozilla/eslint-plugin-no-unsanitized
 3 | if you are interested in xss-prevention techniques.
 4 | 
 5 | ## ScanJS Rules through ESLint.
 6 | 
 7 | If you want to get something like ScanJS using ESLint. This is the config 
 8 | file.
 9 | 
10 | ## Install
11 | ```sh
12 | npm -g install
13 | * cp -v .eslintrc ~/.scanjs-eslintrc
14 | ```
15 | 
16 | <!--
17 | Note that a globally installed eslint can see only globally installed plugins.
18 | 
19 | So you either have to install eslint itself and then required packages locally
20 | Or everything globally.
21 | -->
22 | 
23 | 
24 | ## Running
25 | ```sh
26 | cd project-to-scan/
27 | eslint --no-eslintrc -c ~/.scanjs-eslintrc .
28 | ```
29 | 
30 | ### Usage within IntelliJ IDEs (WebStorm, PyCharm etc.)
31 | 1. Open the Settings dialog and navigate to **Languages & Frameworks → JavaScript → Code Quality Tools → ESLint**.
32 | 2. **Enable ESLint** and make sure your settings match your installation:  Use a globally installed eslint package, the installer will place this in `/usr/lib/node_modules/eslint` or `usr/local/lib/node_modules/eslint`.
33 | 3. **Supply the config path `~/.scanjs-eslintrc`**
34 | 4. Reset the default rules, by providing **extra eslint options**, so we only use the provided config. This disables the default eslint rules, which check for coding style, not security: `--no-eslintrc -c ~/.scanjs-eslintrc .`
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "eslint-config-scanjs",
 3 |   "version": "1.0.0-beta4",
 4 |   "description": "umbrella config to get scanjs-like functionality from eslint",
 5 |   "main": "index.js",
 6 |   "scripts": {
 7 |     "test": "echo \"Error: no test specified\" && exit 1"
 8 |   },
 9 |   "dependencies": {
10 |     "eslint": ">=3.17.0",
11 |     "eslint-plugin-no-unsanitized": ">=2.0.1",
12 |     "eslint-plugin-scanjs-rules": ">=0.2.0",
13 |     "eslint-plugin-no-wildcard-postmessage": ">=0.1.3"
14 |   },
15 |   "repository": {
16 |     "type": "git",
17 |     "url": "git+https://github.com/mozfreddyb/eslint-config-scanjs.git"
18 |   },
19 |   "keywords": [
20 |     "eslintconfig",
21 |     "eslint",
22 |     "scanjs",
23 |     "security"
24 |   ],
25 |   "author": "Frederik Braun",
26 |   "license": "MPL-2.0",
27 |   "bugs": {
28 |     "url": "https://github.com/mozfreddyb/eslint-config-scanjs/issues"
29 |   },
30 |   "homepage": "https://github.com/mozfreddyb/eslint-config-scanjs#readme"
31 | }
32 | 


--------------------------------------------------------------------------------