Checks for detecting Trusted Types violations

August 12, 2022 ยท View on GitHub

Rule NameChecks Against
ban-base-href-assignmentsAssignments to .href on
ban-document-execcommandCalls to document.execCommand('insertHTML')
ban-document-write-callsCalls to document.write
ban-document-writeln-callsCalls to document.writeln
ban-domparser-parsefromstringCalls to DOMParser.parseFromString
ban-eval-callsCalls to eval
ban-element-innerhtml-assignmentsAssignments to .innerHTML on any element
ban-element-outerhtml-assignmentsAssignments to .outerHTML on any element
ban-element-insertadjacenthtmlCalls to .insertAdjacentHTML on any element
ban-element-setattributeCalls to .setAttribute on any element with dangerous attribute names
ban-iframe-srcdoc-assignmentsAssignments to .srcdoc on
ban-object-data-assignmentsAssignments to .data on
ban-script-appendchild-callsCalls to .appendChild on
ban-script-content-assignmentsAssignments to .text and .textContent on
ban-script-src-assignmentsAssignments to .src on
ban-shared-worker-callsCalls to the constructor of SharedWorker
ban-worker-callsCalls to the constructor of Worker
ban-window-stringfunctiondefCalls to setInternal and setTimeout with strings as the first argument
ban-trustedtypes-createpolicyCalls to TrustedTypePolicyFactory.createPolicy
ban-range-createcontextualfragmentCalls to Range.createContextualFragment
ban-serviceworkercontainer-registerCalls to ServiceWorkerContainer.register

Support for the safevalues library

The safevalues library offers a set of APIs to construct Trusted Types. There are legitimate cases where these APIs are not expressive enough or the migration is blocked by legacy issues. The library offer some "unsafe" APIs to make exceptions for these cases, but uses of unsafe APIs should be closely monitored and documented, which can be achieved by two additional rules offered by tsec: "ban-legacy-conversions" and "ban-reviewed-conversions".

Please see the safevalues documentations for details.