Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule proposal: require-css-escape #2318

Open
silverwind opened this issue Apr 10, 2024 · 2 comments
Open

Rule proposal: require-css-escape #2318

silverwind opened this issue Apr 10, 2024 · 2 comments
Labels
help wanted new rule

Comments

@silverwind
Copy link
Contributor

silverwind commented Apr 10, 2024
edited

Description

CSS.escape should always be used when interpolating arbritrary variables into a CSS selector to ensure correct escaping.

Fail

document.querySelector(`#${id}`);
el.querySelectorAll(`a[href^="#${hash}"]`);

Pass

document.querySelector(`#${CSS.escape(id)}`);
el.querySelectorAll(`a[href^="#${CSS.escape(hash)}"]`);

Any tagged template should not trigger the rule:

document.querySelector(cssEscape`#${id}`);
@sindresorhus
Copy link
Owner

Accepted

@silverwind
Copy link
Contributor Author

To reduce code churn, maybe it should have an option to limit it to attribute selectors as indicated by [ and ] in the surrounding strings. Patterns like below are pretty common and not exactly a problem if the string contains only CSS-safe characters:

const className = 'foo';
document.querySelectorAll(`.${classname}`);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted new rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silverwind @sindresorhus