Fund: Rule proposal: `.replace` or `.replaceAll` with non-literal replacement

Description

One might think that a function like this generates safe HTML because the argument is HTML-escaped.

function imageLink(url) {
  const IMAGE_TEMPLATE = '<img src="{url}">';
  return IMAGE_TEMPLATE.replace('{url}', htmlEscape(url));
}

But in fact there’s a very obscure cross-site scripting vulnerability here, abusing the $` replacement sequence interpreted by String.prototype.replace and .replaceAll!

imageLink("$` onerror=alert(1) ")
//=> '<img src="<img src=" onerror=alert(1) ">'

To protect against this mistake, it would be nice to have an ESLint rule that forbids use of .replace and .replaceAll where the second argument isn’t a string literal or a function.

Fail

IMAGE_TEMPLATE.replace('{url}', htmlEscape(url))

Pass

IMAGE_TEMPLATE.replace('{url}', () => htmlEscape(url))

IMAGE_TEMPLATE.replace('{url}', "https://example.com")

Additional Info

No response

Sindre Sorhus/eslint-plugin-unicorn

Rule proposal: .replace or .replaceAll with non-literal replacement

Description

Fail

Pass

Additional Info

How does funding with Polar work?

Backer

Contributor

Maintainer

Sindre Sorhus/eslint-plugin-unicorn

Rule proposal: .replace or .replaceAll with non-literal replacement

Description

Fail

Pass

Additional Info

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?