{ "rulesDirectory": [ "node_modules/tslint-microsoft-contrib", "node_modules/tslint/lib/rules" ], "rules": { /** * Security Rules. The following rules should be turned on because they find security issues * or are recommended in the Microsoft Secure Development Lifecycle (SDL) */ "no-banned-terms": true, "no-cookies": true, "no-delete-expression": true, "no-disable-auto-sanitization": true, "no-document-domain": true, "no-document-write": true, "no-eval": true, "no-exec-script": true, "no-function-constructor-with-string-args": true, "no-http-string": [true, "http://www.example.com/?.*", "http://www.examples.com/?.*"], "no-inner-html": true, "no-octal-literal": true, "no-string-based-set-immediate": true, "no-string-based-set-interval": true, "no-string-based-set-timeout": true, "react-no-dangerous-html": true, /** * Angular specific rule searching for known vulnerable patterns. Works with tslint@5.4.3 and higher. */ "ban": [ true, {"name": ["*", "html"], "message": "Using Angular.element(element).html(); or $element.html() without explicitly sanitizing the content is vulnerable to XSS. Using $(‘element’).html(messageContent); directly without explicitly sanitizing the content is vulnerable to XSS"}, {"name": ["*", "trustAsHtml"], "message": "Using $sce.trustAsHtml directly without explicitly sanitizing the content is vulnerable to XSS"}, {"name": ["$sce", "enabled"], "message": "Do not disable Strict Contextual Escaping ($sce.enabled(false); or $sceProvider.enabled(false); ) This allows arbitrary html to be inserted into the View and disables Angular’s inbuit XSS prevention controls."}, {"name": ["$sceProvider", "enabled"], "message": "Do not disable Strict Contextual Escaping ($sce.enabled(false); or $sceProvider.enabled(false); ) This allows arbitrary html to be inserted into the View and disables Angular’s inbuit XSS prevention controls."}, {"name": ["*", "bypassSecurityTrustHtml"], "message": "Avoid this way of marking template content as safe using DomSanitizer, as it disables the in-built Angular sanitization"}, {"name": ["*", "bypassSecurityTrustScript"], "message": "Avoid this way of marking template content as safe using DomSanitizer, as it disables the in-built Angular sanitization"}, {"name": ["*", "bypassSecurityTrustUrl"], "message": "Avoid this way of marking template content as safe using DomSanitizer, as it disables the in-built Angular sanitization"}, {"name": ["*", "bypassSecurityTrustResourceUrl"], "message": "Avoid this way of marking template content as safe using DomSanitizer, as it disables the in-built Angular sanitization"}, {"name": ["*", "bypassSecurityTrustStyle"], "message": "Avoid this way of marking template content as safe using DomSanitizer, as it disables the in-built Angular sanitization"}, {"name": ["*", "imgSrcSanitizationWhitelist"], "message": "When using ngSanitize, it is also possible to open up the ruleset to be vulnerable. Ensure any customizations of Whitelisted content are thoroughly reviewed prior to release."}, {"name": ["*", "aHrefSanitizationWhitelist"], "message": "When using ngSanitize, it is also possible to open up the ruleset to be vulnerable. Ensure any customizations of Whitelisted content are thoroughly reviewed prior to release."}, {"name": ["*", "enableSvg"], "message": "When using ngSanitize, it is also possible to open up the ruleset to be vulnerable. Ensure any customizations of Whitelisted content are thoroughly reviewed prior to release."}, {"name": ["*", "trustAsJS"], "message": "Avoid using $sce.trustAsJS for user controllable data as this takes the supplied parameter as being javascript that is considered safe to execute."}] } }