forked from ngageoint/opensphere
-
Notifications
You must be signed in to change notification settings - Fork 0
/
conformance_config.textproto
128 lines (100 loc) · 4.23 KB
/
conformance_config.textproto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
requirement: {
type: BANNED_NAME
error_message: 'eval is not allowed since it can be used to execute '
'arbitrary JavaScript code. It is not typically necessary '
'in ordinary programming.'
value: 'eval'
whitelist: 'javascript/closure/base.js'
whitelist: 'javascript/closure/json/json.js'
}
requirement: {
type: BANNED_PROPERTY
error_message: 'Arguments.prototype.callee is not allowed in ES5 Strict mode.'
'The JavaScript compiler will also check this when '
'CHECK_ES5_STRICT is enabled, but this conformance check also '
'warns for possible violations.'
value: 'Arguments.prototype.callee'
whitelist: 'javascript/closure/base.js' # goog.base uses arguments.callee
whitelist: 'javascript/closure/debug/' # legacy stack trace support, etc
}
requirement: {
type: BANNED_PROPERTY_WRITE
error_message: 'Assignment to Element.prototype.innerHTML is not allowed '
'since passing unsafe content can cause XSS vulnerabilities. '
'Use goog.dom.safe.setInnerHtml instead.'
value: 'Element.prototype.innerHTML'
# Safe wrapper for this property.
whitelist: 'javascript/closure/dom/safe.js'
# Safely used in goog.string.unescapeEntitiesUsingDom_; the string assigned to
# innerHTML is a single HTML entity.
whitelist: 'javascript/closure/string/string.js'
}
requirement: {
type: BANNED_PROPERTY_WRITE
error_message: 'Assignment to Element.prototype.outerHTML is not allowed '
'since passing unsafe content can cause XSS vulnerabilities. '
'Use goog.dom.safe.setOuterHtml instead.'
value: 'Element.prototype.outerHTML'
# Safe wrapper for this property.
whitelist: 'javascript/closure/dom/safe.js'
}
requirement: {
type: BANNED_PROPERTY_WRITE
error_message: 'Assignment to Location.prototype.href is not allowed. '
'Externally controlled content assigned to the href property '
'can cause XSS vulnerabilities, such as executing '
'javascript:evil() URLs. Use goog.dom.safe.setLocationHref '
'instead.'
value: 'Location.prototype.href'
# Safe wrapper for this property.
whitelist: 'javascript/closure/dom/safe.js'
}
requirement: {
type: BANNED_PROPERTY_WRITE
error_message: 'Assignment to Window.prototype.location is not allowed.'
'Externally controlled content assigned to the location '
'object can cause XSS vulnerabilities, such as executing '
'javascript:evil() URLs. Use goog.dom.safe.setLocationHref '
'instead.'
value: 'Window.prototype.location'
}
requirement: {
type: BANNED_PROPERTY_WRITE
error_message: 'Assignment to .href property of Anchor, Link, etc elements, '
'is not allowed. Externally controlled content assigned '
'to the href property can cause XSS vulnerabilities, such as '
'executing javascript:evil() URLs. '
'Use goog.dom.safe.setAnchorHref instead.'
# Types with .href properties that do not extend from Element.
value: 'StyleSheet.prototype.href'
value: 'CSSImportRule.prototype.href'
# All other types extend from Element.
value: 'Element.prototype.href'
# Safe wrapper for this property.
whitelist: 'javascript/closure/dom/safe.js'
}
requirement: {
type: BANNED_PROPERTY_WRITE
error_message: 'Use of document.domain is not allowed since it relaxes the '
'the same origin protections of JavaScript and opens up the '
'attack surface for the domain.'
value: 'Document.prototype.domain'
}
requirement: {
type: BANNED_NAME
error_message: 'Number.MIN_SAFE_INTEGER and Number.MAX_SAFE_INTEGER are not '
'defined in Internet Explorer.'
value: 'Number.MAX_SAFE_INTEGER'
value: 'Number.MIN_SAFE_INTEGER'
}
requirement: {
type: BANNED_NAME
error_message: 'Number.MIN_VALUE is the smallest fractional value, which is '
'still greater than zero. Use Number.NEGATIVE_INFINITY instead.'
value: 'Number.MIN_VALUE'
}
#requirement: {
# type: BANNED_NAME
# value: 'goog.bind'
# error_message: 'goog.bind(func, args) is not permitted. Use func.bind(args) instead.'
#}