123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 |
- /**
- * @fileoverview disallow target="_blank" attribute without rel="noopener noreferrer"
- * @author Sosukesuzuki
- */
- 'use strict'
- // ------------------------------------------------------------------------------
- // Requirements
- // ------------------------------------------------------------------------------
- const utils = require('../utils')
- // ------------------------------------------------------------------------------
- // Helpers
- // ------------------------------------------------------------------------------
- /** @param {VAttribute} node */
- function isTargetBlank(node) {
- return (
- node.key &&
- node.key.name === 'target' &&
- node.value &&
- node.value.value === '_blank'
- )
- }
- /**
- * @param {VStartTag} node
- * @param {boolean} allowReferrer
- */
- function hasSecureRel(node, allowReferrer) {
- return node.attributes.some((attr) => {
- if (attr.key && attr.key.name === 'rel') {
- const tags =
- attr.value &&
- attr.value.type === 'VLiteral' &&
- attr.value.value.toLowerCase().split(' ')
- return (
- tags &&
- tags.includes('noopener') &&
- (allowReferrer || tags.includes('noreferrer'))
- )
- } else {
- return false
- }
- })
- }
- /**
- * @param {VStartTag} node
- */
- function hasExternalLink(node) {
- return node.attributes.some(
- (attr) =>
- attr.key &&
- attr.key.name === 'href' &&
- attr.value &&
- attr.value.type === 'VLiteral' &&
- /^(?:\w+:|\/\/)/.test(attr.value.value)
- )
- }
- /**
- * @param {VStartTag} node
- */
- function hasDynamicLink(node) {
- return node.attributes.some(
- (attr) =>
- attr.key &&
- attr.key.type === 'VDirectiveKey' &&
- attr.key.name &&
- attr.key.name.name === 'bind' &&
- attr.key.argument &&
- attr.key.argument.type === 'VIdentifier' &&
- attr.key.argument.name === 'href'
- )
- }
- // ------------------------------------------------------------------------------
- // Rule Definition
- // ------------------------------------------------------------------------------
- module.exports = {
- meta: {
- type: 'problem',
- docs: {
- description:
- 'disallow target="_blank" attribute without rel="noopener noreferrer"',
- categories: undefined,
- url: 'https://eslint.vuejs.org/rules/no-template-target-blank.html'
- },
- schema: [
- {
- type: 'object',
- properties: {
- allowReferrer: {
- type: 'boolean'
- },
- enforceDynamicLinks: {
- enum: ['always', 'never']
- }
- },
- additionalProperties: false
- }
- ]
- },
- /**
- * Creates AST event handlers for no-template-target-blank
- *
- * @param {RuleContext} context - The rule context.
- * @returns {Object} AST event handlers.
- */
- create(context) {
- const configuration = context.options[0] || {}
- const allowReferrer = configuration.allowReferrer || false
- const enforceDynamicLinks = configuration.enforceDynamicLinks || 'always'
- return utils.defineTemplateBodyVisitor(context, {
- /** @param {VAttribute} node */
- 'VAttribute[directive=false]'(node) {
- if (!isTargetBlank(node) || hasSecureRel(node.parent, allowReferrer)) {
- return
- }
- const hasDangerHref =
- hasExternalLink(node.parent) ||
- (enforceDynamicLinks === 'always' && hasDynamicLink(node.parent))
- if (hasDangerHref) {
- context.report({
- node,
- message:
- 'Using target="_blank" without rel="noopener noreferrer" is a security risk.'
- })
- }
- }
- })
- }
- }
|