Package com.google.javascript.jscomp

Class ConformanceRules.SecuritySensitiveAttributes

java.lang.Object

com.google.javascript.jscomp.ConformanceRules.SecuritySensitiveAttributes

Enclosing class:

ConformanceRules

public static final class ConformanceRules.SecuritySensitiveAttributes
extends Object

Checks nodes for conformance with banning the setting of attributes that are on the blocklist.

Field Summary

Fields

Modifier and Type	Field	Description
static final com.google.common.collect.ImmutableSet<String>	ALL_BANNED_ATTRS	Security-sensitive attributes that are banned from being set.

Constructor Summary

Constructors

Constructor	Description
SecuritySensitiveAttributes()
SecuritySensitiveAttributes(Collection<String> bannedAtrrs)
SecuritySensitiveAttributes(Collection<String> bannedAtrrs, Supplier<com.google.javascript.jscomp.GlobalNamespace> globalNamespaceSupplier)
SecuritySensitiveAttributes(Supplier<com.google.javascript.jscomp.GlobalNamespace> globalNamespaceSupplier)

Method Summary

Modifier and Type	Method	Description
ConformanceRules.ConformanceResult	checkConformanceForAttributeName(NodeTraversal traversal, Node attrName)	Given a NodeTraversal and Node, check if the attribute violates conformance.
ConformanceRules.ConformanceResult	checkConformanceForAttributeNameWithHighConfidence(NodeTraversal traversal, Node attrName)	Given a NodeTraversal and Node, check if the attribute violates conformance.
boolean	contains(String attributeName)	Checks if a attribute name is on the security banlist.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

ALL_BANNED_ATTRS

public static final com.google.common.collect.ImmutableSet<String> ALL_BANNED_ATTRS

Security-sensitive attributes that are banned from being set.

Making updates to these attributes requires a new JSCompiler release. You must test the change using a global presubmit "at head" and update any affected allowlists. See go/jscompiler-global-presubmit and go/tsjs-conformance-team-docs.

Constructor Details

SecuritySensitiveAttributes

public SecuritySensitiveAttributes()

SecuritySensitiveAttributes

public SecuritySensitiveAttributes(Supplier<com.google.javascript.jscomp.GlobalNamespace> globalNamespaceSupplier)

SecuritySensitiveAttributes

public SecuritySensitiveAttributes(Collection<String> bannedAtrrs)

SecuritySensitiveAttributes

public SecuritySensitiveAttributes(Collection<String> bannedAtrrs,
 Supplier<com.google.javascript.jscomp.GlobalNamespace> globalNamespaceSupplier)

Method Details

contains

public boolean contains(String attributeName)

Checks if a attribute name is on the security banlist. Callers should make sure the attribute name is lower-cased, as attribute names are case-insensitve in HTML.

checkConformanceForAttributeName

public ConformanceRules.ConformanceResult checkConformanceForAttributeName(NodeTraversal traversal,
 Node attrName)

Given a NodeTraversal and Node, check if the attribute violates conformance.

A violation is returned if the attribute name cannot be determined (and it is not an xid), if the attribute is on a list of banned attributes, or if it begins with the letters "on". Otherwise, it is a conforming attribute.

checkConformanceForAttributeNameWithHighConfidence

public ConformanceRules.ConformanceResult checkConformanceForAttributeNameWithHighConfidence(NodeTraversal traversal,
 Node attrName)

Given a NodeTraversal and Node, check if the attribute violates conformance.

A violation is returned only if the attribute name can be statically determined and is on the list of banned attributes.