Suggest using textContent instead of innerHTML

manuelpuyol · manuelpuyol · commit 21c911e0ecd7 · 2021-09-10T14:24:21.000-05:00
diff --git a/docs/rules/no-innter-html.md b/docs/rules/no-innter-html.md
@@ -1,6 +1,6 @@
 # No `innerHTML`
 
-Using `innerHTML` poses a potential security risk. It should only be used when clearing content.
+Using `innerHTML` poses a potential security risk. Prefer using `textContent` so set text to an element.
 
 ```js
 // bad
@@ -9,8 +9,8 @@ function setContent(element, content) {
 }
 
 // good
-function clearContent(element) {
-  element.innerHTML = ''
+function setContent(element, content) {
+  element.textContent = content
 }
 ```
 
diff --git a/lib/rules/no-inner-html.js b/lib/rules/no-inner-html.js
@@ -2,30 +2,28 @@ module.exports = {
   meta: {
     type: 'problem',
     docs: {
-      description: 'disallow `Element.prototype.innerHTML``',
+      description: 'disallow `Element.prototype.innerHTML` in favor of `Element.prototype.textContent`',
       url: require('../url')(module)
     },
+    fixable: 'code',
     schema: []
   },
 
   create(context) {
     return {
-      AssignmentExpression(node) {
-        if (node.operator === '=') {
-          const leftNode = node.left
-          const rightNode = node.right
-
-          if (leftNode.property && leftNode.property.name === 'innerHTML') {
-            if (rightNode.type === 'Literal' && rightNode.value === '') {
-              return
+      MemberExpression(node) {
+        if (node.property && node.property.name === 'innerHTML') {
+          context.report({
+            node: node.property,
+            meta: {
+              fixable: 'code'
+            },
+            message:
+              'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',
+            fix(fixer) {
+              return fixer.replaceText(node.property, 'textContent')
             }
-
-            context.report({
-              node,
-              message:
-                'Using innerHTML poses a potential security risk and should not be used other than clearing content.'
-            })
-          }
+          })
         }
       }
     }
diff --git a/tests/no-inner-html.js b/tests/no-inner-html.js
@@ -6,27 +6,40 @@ const ruleTester = new RuleTester()
 ruleTester.run('no-innter-html', rule, {
   valid: [
     {
-      code: 'document.createElement("js-flash-text").innerHTML = ""'
+      code: 'document.createElement("js-flash-text").textContent = ""'
+    },
+    {
+      code: 'document.createElement("js-flash-text").textContent = "foo"'
     }
   ],
   invalid: [
     {
       code: 'document.createElement("js-flash-text").innerHTML = "foo"',
+      output: 'document.createElement("js-flash-text").textContent = "foo"',
       errors: [
         {
-          message:
-            'Using innerHTML poses a potential security risk and should not be used other than clearing content.',
-          type: 'AssignmentExpression'
+          message: 'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',
+          type: 'Identifier'
         }
       ]
     },
     {
       code: 'document.querySelector("js-flash-text").innerHTML = "<div>code</div>"',
+      output: 'document.querySelector("js-flash-text").textContent = "<div>code</div>"',
+      errors: [
+        {
+          message: 'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',
+          type: 'Identifier'
+        }
+      ]
+    },
+    {
+      code: 'document.querySelector("js-flash-text").innerHTML = ""',
+      output: 'document.querySelector("js-flash-text").textContent = ""',
       errors: [
         {
-          message:
-            'Using innerHTML poses a potential security risk and should not be used other than clearing content.',
-          type: 'AssignmentExpression'
+          message: 'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',
+          type: 'Identifier'
         }
       ]
     }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	# No `innerHTML`
`2`	`2`
`3`		-Using `innerHTML` poses a potential security risk. It should only be used when clearing content.
	`3`	+Using `innerHTML` poses a potential security risk. Prefer using `textContent` so set text to an element.
`4`	`4`
`5`	`5`	```js
`6`	`6`	`// bad`
`@@ -9,8 +9,8 @@ function setContent(element, content) {`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`// good`
`12`		`-function clearContent(element) {`
`13`		`- element.innerHTML = ''`
	`12`	`+function setContent(element, content) {`
	`13`	`+ element.textContent = content`
`14`	`14`	`}`
`15`	`15`	```
`16`	`16`
Original file line number	Diff line number	Diff line change
`@@ -6,27 +6,40 @@ const ruleTester = new RuleTester()`
`6`	`6`	`ruleTester.run('no-innter-html', rule, {`
`7`	`7`	`valid: [`
`8`	`8`	`{`
`9`		`- code: 'document.createElement("js-flash-text").innerHTML = ""'`
	`9`	`+ code: 'document.createElement("js-flash-text").textContent = ""'`
	`10`	`+ },`
	`11`	`+ {`
	`12`	`+ code: 'document.createElement("js-flash-text").textContent = "foo"'`
`10`	`13`	`}`
`11`	`14`	`],`
`12`	`15`	`invalid: [`
`13`	`16`	`{`
`14`	`17`	`code: 'document.createElement("js-flash-text").innerHTML = "foo"',`
	`18`	`+ output: 'document.createElement("js-flash-text").textContent = "foo"',`
`15`	`19`	`errors: [`
`16`	`20`	`{`
`17`		`- message:`
`18`		`- 'Using innerHTML poses a potential security risk and should not be used other than clearing content.',`
`19`		`- type: 'AssignmentExpression'`
	`21`	`+ message: 'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',`
	`22`	`+ type: 'Identifier'`
`20`	`23`	`}`
`21`	`24`	`]`
`22`	`25`	`},`
`23`	`26`	`{`
`24`	`27`	`code: 'document.querySelector("js-flash-text").innerHTML = "<div>code</div>"',`
	`28`	`+ output: 'document.querySelector("js-flash-text").textContent = "<div>code</div>"',`
	`29`	`+ errors: [`
	`30`	`+ {`
	`31`	`+ message: 'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',`
	`32`	`+ type: 'Identifier'`
	`33`	`+ }`
	`34`	`+ ]`
	`35`	`+ },`
	`36`	`+ {`
	`37`	`+ code: 'document.querySelector("js-flash-text").innerHTML = ""',`
	`38`	`+ output: 'document.querySelector("js-flash-text").textContent = ""',`
`25`	`39`	`errors: [`
`26`	`40`	`{`
`27`		`- message:`
`28`		`- 'Using innerHTML poses a potential security risk and should not be used other than clearing content.',`
`29`		`- type: 'AssignmentExpression'`
	`41`	`+ message: 'Using innerHTML poses a potential security risk and should not be used. Prefer using textContent.',`
	`42`	`+ type: 'Identifier'`
`30`	`43`	`}`
`31`	`44`	`]`
`32`	`45`	`}`