vize_patina 0.3.0

Patina - The quality checker for Vize code linting
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

//! vue/no-v-html
//!
//! Warn against use of v-html directive due to XSS risks.
//!
//! `v-html` renders raw HTML and can lead to XSS (Cross-Site Scripting)
//! vulnerabilities if the content is user-provided or untrusted.
//!
//! ## Security Risks
//!
//! - XSS attacks through malicious script injection
//! - Data theft via cookie/session hijacking
//! - Phishing through DOM manipulation
//!
//! ## Examples
//!
//! ### Invalid
//! ```vue
//! <div v-html="userContent"></div>
//! <span v-html="htmlFromApi"></span>
//! ```
//!
//! ### Valid
//! ```vue
//! <!-- Use text interpolation for user content -->
//! <div>{{ userContent }}</div>
//!
//! <!-- Or sanitize HTML before rendering -->
//! <div v-html="sanitizedHtml"></div> <!-- with proper sanitization -->
//! ```
//!
//! ## When to Allow
//!
//! v-html is acceptable when:
//! - Content is generated by trusted sources (your own CMS, markdown parser)
//! - Content is properly sanitized using DOMPurify or similar
//! - Content is in a sandboxed iframe

use crate::context::LintContext;
use crate::diagnostic::Severity;
use crate::rule::{Rule, RuleCategory, RuleMeta};
use vize_relief::ast::{DirectiveNode, ElementNode};

static META: RuleMeta = RuleMeta {
    name: "vue/no-v-html",
    description: "Warn against v-html to prevent XSS vulnerabilities",
    category: RuleCategory::Essential,
    fixable: false,
    default_severity: Severity::Warning,
};

/// No v-html rule
#[derive(Default)]
pub struct NoVHtml;

impl Rule for NoVHtml {
    fn meta(&self) -> &'static RuleMeta {
        &META
    }

    fn check_directive<'a>(
        &self,
        ctx: &mut LintContext<'a>,
        _element: &ElementNode<'a>,
        directive: &DirectiveNode<'a>,
    ) {
        if directive.name == "html" {
            ctx.warn_with_help(
                ctx.t("vue/no-v-html.message"),
                &directive.loc,
                ctx.t("vue/no-v-html.help"),
            );
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::linter::Linter;
    use crate::rule::RuleRegistry;

    fn create_linter() -> Linter {
        let mut registry = RuleRegistry::new();
        registry.register(Box::new(NoVHtml));
        Linter::with_registry(registry)
    }

    #[test]
    fn test_valid_interpolation() {
        let linter = create_linter();
        let result = linter.lint_template(r#"<div>{{ content }}</div>"#, "test.vue");
        assert_eq!(result.warning_count, 0);
    }

    #[test]
    fn test_invalid_v_html() {
        let linter = create_linter();
        let result = linter.lint_template(r#"<div v-html="content"></div>"#, "test.vue");
        assert_eq!(result.warning_count, 1);
        assert!(result.diagnostics[0].message.contains("XSS"));
    }
}