Found no `super()` in constructorJS-0226Found reassigning class membersJS-0228Detected usage of the `any` typeJS-0323Avoid specifying `children` when using `dangerouslySetInnerHTML`JS-0439Debugger activation detectedJS-0005Found the usage of undeclared variablesJS-0125Avoid insecure HTTP header configuration for nosniffing headerJS-S1001Avoid insecure HTTP strict transport securityJS-S1002Avoid insecure dns prefetch control configuration for helmetJS-S1003Found potentially unsafe deserializationJS-S1000Usage of an insecure TLS protocol versionJS-S1009Vulnerable VM code executionJS-S0011JSON Web Token (JWT) not signed with a cipher algorithmJS-S1008Potential shell argument injection vulnerabilityJS-S0010Insecure web security preferences found in ElectronJS-S1015Certificate validation is disabled in TLS connectionJS-S1017Insecure express middleware pathJS-S1018Insecure node integration preferences found in ElectronJS-S1019Audit: Regex range is too permissiveJS-A1002Audit: insecure assignment to `innerHTML` propertyJS-S1012Audit: Unsanitized external input passed to a templating engine is prone to vulnerabilitiesJS-A1005Detected Unsafe referrer policyJS-S1011Audit: Avoid exposing server-side errors to clientJS-A1006`ajv` configuration is vulnerable to DoS attacksJS-S1013Array index possibly out of boundsJS-S1016Audit: Unsanitized external input used with Electron's shell module is prone to vulnerabilitiesJS-A1007Missing target origin in cross-origin communicationJS-S1014Audit: Found insecure randomness in initialization of sensitive dataJS-A1000Audit: Storing or accessing files from a publicly accessible directory is vulnerable to information disclosureJS-A1001Audit: Unsanitized user input supplied to `cat` command is prone to command injectionJS-A1003Audit: Unsanitized user input passed to server logsJS-A1004Found code vulnerable to shell command injectionJS-S1010Found hardcoded credentials in source codeJS-S1021Strict Contextual Escaping (SCE) is disabled in AngularJSJS-S1022Audit: Query is potentially vulnerable to SQL injectionJS-A1009Audit: cookie in HTTP response is vulnerable to session-fixationJS-A1008Context isolation is disabled in ElectronJS-S1020Detected insecure whitelisting of URLs in AngularJSJS-S1023Found control characters in regular expressionsJS-0004Invalid regular expression strings present in RegExp constructorsJS-0017Found reassigning const variablesJS-0230Avoid direct mutation of `this.state`JS-0444Found duplicate arguments in function definitionsJS-0006Avoid using promises in places not designed to handle themJS-0336Found unreachable codeJS-0025Avoid `target='_blank'` attribute without `rel='noopener noreferrer'`JS-0422`function` or var declarations in nested blocks is not preferredJS-0016Detected the assignment to exportsJS-0256Found undeclared variables in JSXJS-0423Detected unsupported Node.js built-in APIs on the specified versionJS-0269Found confusing multiline expressionsJS-0024Suggest correct usage of shebangJS-0271Prefer ES5 or ES6 class for returning value in render functionJS-0467Reassigning function declarationsJS-0015Global object properties should not be called as functionsJS-0020Found `for-in` loop iterating over an arrayJS-0329Avoid using control flow statements in `finally` blocksJS-0026Detected the use of an `eval()`-like methodJS-0330Found non-null assertionsJS-0339Found constant expressions in conditionsJS-0003Found duplicate keys in object literalsJS-0007Found empty character classes in regular expressionsJS-0010Left operand of relational operators should not have negationJS-0019Avoid using sparse arrays unless necessaryJS-0023Use `isNaN()` to check for `NaN`JS-0027`typeof` expressions should be compared against valid stringsJS-0028`For` loop update clause should move the counter in the correct directionJS-0029Prefer not using an async function as a Promise executorJS-0031Found usage of comparison with negative-zero(`-0`)JS-0033Duplicate conditions in `if-else-if` chainsJS-0034Unsupported ECMAScript syntaxJS-0268Assignment to imported bindingsJS-0035Found empty destructuring patternsJS-0058Found duplicate class membersJS-0231Found new operators with the `Symbol` objectJS-0233Found `this`/`super` before calling `super()` in constructorsJS-0235Invalid `async`/`await` callJS-0294Use of a banned type detectedJS-0296Found `// @ts-<directive>` commentsJS-0295Unnecessary type assertion of an expressionJS-0349Prefer usage of `as const` over literal typeJS-0360Prefer that unbound methods are called with their expected scopeJS-0387Found assignment of exceptions in catch clausesJS-0011`Object.prototype` builtins should not be used directlyJS-0021Found characters which are made with multiple code points in character class syntaxJS-0036Detected import declarations which import extraneous modulesJS-0257Found explicit type declarationsJS-0331Missing key for the propertyJS-0414Avoid usage of deprecated React methodsJS-0441Avoid usage of `findDOMNode`JS-0445Avoid usage of deprecated method `isMounted`JS-0446Found invalid characters in markupJS-0454Detected bin files that npm ignoresJS-0264Detected unsupported ECMAScript built-ins on the specified versionJS-0267Make process.exit() expressions the same code path as throwJS-0270Should not have unused variablesJS-0128Missing `return` statementJS-0030Detected require() expressions which import extraneous modulesJS-0258Detected deprecated APIsJS-0272Duplicate case labels found in switch caseJS-0008Returning values from settersJS-0037Fallthrough of `case` statements foundJS-0064`delete` operator should not be used on variablesJS-0120Found `require()` expressions which import non-existent modulesJS-0260Detected aliasing thisJS-0342Detected the use of require statements except in import statementsJS-0359Duplicate JSX properties detectedJS-0419Marked Flow type identifiers as definedJS-0479Found invalid file annotationJS-0501Detected using a non-null assertion after an optional chain expressionJS-0338Avoid weak typesJS-0491Invalid lifecycle method in classJS-0571Avoid `target='_blank'` attribute without `rel='noopener noreferrer'`JS-0712Found assignment operators in conditional expressionsJS-0001Elements cannot use an invalid ARIA attributeJS-0741Bad usage of `RegExp#exec` and `String#match`JS-D007Invalid lifecycle parameter nameJS-D012Misconfigured CORS in expressJS-D002Unused return value from `Array`/`Object` prototype methodJS-D008Audit: Forwarding IP while setting proxies in the HTTP serverJS-D018Disallows use of posix in regexJS-D014Found bad matching patternJS-D006Found weak hashing functionsJS-D003Audit: Insecure cookieJS-D015Unsafe permissions set on a fileJS-D017Audit: Insecure clear text protocolJS-D019Audit: Allowing dotfiles during static file serving can be sensitiveJS-D020XML parsing may be vulnerable to XXE attacksJS-D022Detected the violation of rules of hooksJS-0820Avoid importing of test support files into non-test codeJS-W1000Consider using `passhref` attribute with `Link` componentJS-W1020Found non-existent assignment operatorsJS-W1033Found usage of href with NuxtLink componentJS-W1034Found complex boolean returnJS-W1041Found flawed string comparisonJS-W1040Found confusing labels inside switchJS-W1036Found error handling middleware in productionJS-S1024Found useless assertions in testJS-W1039Found unhandled promiseJS-0328Syntax errorJS-0833Invalid custom TypeScript modules declarationJS-0364Prevent usage of wrong DOM propertyJS-0455Found redeclared variablesJS-0085Unnecessary non-null assertionJS-0324Use ES6 class for React ComponentsJS-0460Found empty block statementsJS-0009Detected the declaration of empty interfacesJS-0322Found multiple spaces in RegexJS-0022Avoid use of `==` and `!=`JS-0050`with` statements foundJS-0100Found Yoda conditionsJS-0104Prevent shadowing of restricted global objects and identifiersJS-0124Consider grouping overloaded members togetherJS-0292Possible insertion of comments as text nodesJS-0418Detected the use of custom TypeScript modules and namespacesJS-0337Unused labels foundJS-0094Use `RegExp#exec` instead of `String#match`JS-0370Found template literal expression having a non-string typeJS-0378Operands must both be `number`s or `string`s in addition expressionsJS-0377Found unnecessary boolean castsJS-0012Avoid using the return value of `ReactDOM.render`JS-0449React must be present in scope when using JSXJS-0464Avoid passing children as propsJS-0438Prevent using string referencesJS-0451Require generator functions to contain yieldJS-0247IIFEs should be wrappedJS-0103Avoid square-bracket notation when accessing propertiesJS-0049Invalid definition of `new` and `constructor`JS-0335Bad usage of triple slash directivesJS-0384Found octal literalsJS-0081`render` function should return valueJS-0622Use `// @ts-expect-error` over `// @ts-ignore`JS-0372Avoid using lexical declarations in case clausesJS-0054Avoid `mixed` type annotationsJS-0486Prefer type annotations in all function parametersJS-0497Avoid having types in files where annotation is missingJS-0489Prefer using return type annotations for functionsJS-0499Prefer explicit role property in HTML tagsJS-0764Element with aria-activedescendant must be tabbableJS-0740Invalid ARIA state and/or property valuesJS-0742Elements with ARIA roles must use a valid, non-abstract ARIA roleJS-0743Non-visible DOM elements should not contain the `role` and/or `aria-*` propsJS-0744The autocomplete should be correctJS-0745Prefer to accompany `onClick` with some elementsJS-0746Prefer to have content in heading elementsJS-0747Prefer to have lang prop in elementsJS-0748Prefer to have a unique title in `<iframe>`JS-0749Prefer not to use words image, photo in image alt contentJS-0750Interactive elements should be focusableJS-0751Missing `<track>` in`<audio>` / `<video>` elementJS-0754Consider using `onFocus/onBlur` with `onMouseOver/onMouseOut` eventJS-0755Prefer that no distracting elements are usedJS-0758Non-interactive elements assigned mouse/keyboard event listenersJS-0760`tabIndex` declared on a non-interactive elementJS-0762Prefer that non-interactive, visible elements (such as <div>) that have click handlers use the role attributeJS-0765Elements with ARIA roles must have all required attributes for that roleJS-0766Prefer that elements with explicit or implicit roles defined contain only aria-* properties supported by that roleJS-0767Prefer `tabIndex` value is not greater than zeroJS-0769Prefer meaningful alternative textJS-0737Prefer that `autoFocus` prop is not used on elementsJS-0757`label` tags should have a text label and an associated controlJS-0752`accessKey` property usedJS-0756Interactive elements should not be assigned non-interactive rolesJS-0759Non-interactive elements should not be assigned interactive rolesJS-0761Prefer `readonly` React propsJS-0498Prefer that anchors have content and the content is accessible to screen readersJS-0738Use valid anchorsJS-0739The `scope` scope should be used only on `<th>` elementsJS-0768Prefer a consistent naming pattern for type aliasesJS-0509Invalid suffix in `@Directive`JS-0598Invalid naming of directive outputsJS-0574Missing Banana-in-a-box template syntaxJS-0577Missing `PipeTransform` interfaceJS-0595`@Input` is renamedJS-0585Missing `sandbox` in iframeJS-D010Invalid async pipeJS-0578Invalid `.charAt` comparisonJS-D013Detected calls to `buffer` with `noAssert` flag setJS-0822Found duplicate assignmentsJS-W1032Found unused objectsJS-R1002Call to Function objectJS-R1003Logical operator can be refactored to optional chainJS-W1044Found redundant literal in a logical expressionJS-W1043Found trailing undefined in function callJS-W1042Found redundant return statementJS-W1045Found control characters in regular expressionJS-W1035Found control characters in regular expressionJS-W1037Useless template literal foundJS-R1004Too many arguments passed to function callJS-W1038Found usage of deprecated `javascript:` URLsJS-0421Invalid variable usageJS-0043Accessed object properties are restrictedJS-0110Avoid using `this.state` inside `this.setState()`JS-0435Deprecation of number (keycode) modifiersJS-0656Found deprecated `*` existential typeJS-0484Avoid having unused expressionsJS-0490Unsafe content security policyJS-D024Found `key` attribute on `<template v-for>`JS-V001Invalid lifecycle hooksJS-V006Found empty lifecycle methodsJS-0604Avoid the use of `Buffer()` and `Buffer#allocUnsafe()`JS-D025Found `this` in props default functionsJS-V003Invalid destructuring of `props`JS-V005Unsafe argument to `child_process`JS-D023Avoid using the `Buffer()` constructorJS-D026Use `head` property in component as a functionJS-W1013Properties of `$slots` should be used as a functionJS-0658Use of deprecated `$cookieStore`JS-0530Comparisons found where both the sides are exactly the sameJS-0089Forbid certain props on DOM NodesJS-0395Found `$FlowFixMe` commentsJS-0485Race condition in compound assignmentJS-0040Avoid using dangerous JSX propertiesJS-0440Typo in class properties and lifecycle methodsJS-0453Avoid using an element's index as the `key` propJS-0437Avoid using `console` in code that runs on browserJS-0002Missing default values for non-required propertiesJS-0391Avoid `.bind()` or local functions in JSX propertiesJS-0417Avoid using `setState` in `componentDidMount`JS-0442Missing `async` on `Promise` methodsJS-0373Detected the use of variables before they are definedJS-0357Restricted global variables being usedJS-0122Found no return statements in callbacks of array methodsJS-0042Found unsafe function declarationsJS-0073Assignment found where both sides are exactly the sameJS-0088Infinite loop conditionsJS-0092Detected duplicate class membersJS-0319Error objects should be used as Promise rejection reasonsJS-0114Variable used before definitionJS-0129Found duplicate module importsJS-0232Detected the use of classes as namespacesJS-0327Found `parseInt()` and `Number.parseInt()` for number literalsJS-0253Detected new operators with calls to requireJS-0261Detected string concatenation with __dirname and __filenameJS-0262Detected the use of process.exit()JS-0263Default parameters should be placed after non-default onesJS-0302Prevent conditionals where the type is always truthy or always falsyJS-0346Prefer that type arguments will not be used if not requiredJS-0348Found unused variables in TypeScript codeJS-0356Use `includes` method over `indexOf` methodJS-0363Use nullish coalescing operator `??`JS-0365`Array#sort` must have a compare functionJS-0375Type annotations should existJS-0386Avoid using `setState` in `componentWillUpdate`JS-0459Detected Forbidden elementsJS-0396Found unnecessary fragmentsJS-0424Avoid usage of `setState` in `componentDidUpdate`JS-0443Avoid usage of `shouldComponentUpdate`JS-0448Avoid using unsafe lifecycle methodsJS-0456`eval()` should not be usedJS-0060Value should not be returned in constructorJS-0109Found useless backreferences in regular expressionsJS-0039Require error handling in callbacksJS-0254Ensure Node.js-style error-first callback pattern is followedJS-0255Detected unused variables and argumentsJS-0355Found template literal placeholder syntax in regular stringsJS-0038Unnecessary `return await` function foundJS-0111Consider using `let` or `const` instead of `var`JS-0239Non-existent module importedJS-0259Private members should be marked as `readonly`JS-0368Detected Forbidden foreign propTypesJS-0397Prefer to forbid certain propTypesJS-0398Prevent usage of string literals in JSXJS-0420Prevent void DOM elements from receiving childrenJS-0474Found invalid `v-cloak` directivesJS-0630Deprecation of `.native` modifiersJS-0655`emits` validator does not always return a boolean valueJS-0660Should have valid `.sync` modifier on `v-bind` directivesJS-0665Use `$Exact` to make type spreading safeJS-0508Computed property should have property dependenciesJS-0813Prefer having a valid `v-for` directiveJS-0633Custom modifiers on `v-model` should not used on the componentJS-0662Should not use JQueryJS-0793Found invalid `v-model` directivesJS-0636Deprecation of functional templateJS-0648Avoid usage of deprecated `$on`, `$off`, `$once` in events apiJS-0646Avoid using deprecated lifecycle hooksJS-0643Should not use legacy test waitersJS-0794Disallow unnecessary `<template>`JS-0691Avoid overwriting reserved keysJS-0613Found invalid `v-once` directivesJS-0638Duplicate conditions in `v-if` / `v-else-if`JS-0609Found invalid `v-if` directivesJS-0635Avoid mutation of component propsJS-0611Parsing errors detected in `<template>`JS-0612Avoid mutating variables inside computed propertiesJS-0615Disallow unsupported Vue.js syntax on the specified versionJS-0714Prefer prop type to be a constructorJS-0621Always use `key` with `v-for`JS-0623Deprecation of Object Declaration on `data`JS-0629Avoid usage of deprecated `$listeners` on `v-on`JS-0644Found invalid `v-html` directivesJS-0634Found invalid `v-on` directivesJS-0637Found invalid `v-pre` directivesJS-0639Found invalid `v-show` directivesJS-0640Found invalid `v-slot` directivesJS-0641Deprecation of `destroyed` and `beforeDestroy` lifecycle hooksJS-0647Found invalid `v-text` directivesJS-0642Avoid usage of deprecated `$scopedSlots`JS-0645Disallow adding an argument to `v-model` used in custom componentJS-0664Deprecation of `slot-scope` attributeJS-0653Deprecation of `.sync` modifier on `v-bind` directiveJS-0654Deprecation of `Vue.config.keyCodes`JS-0657Should not use `this._super`JS-0782Found Ember's debug functions in wrong orderJS-0790Should not use side effectsJS-0804Use interpolation expressions instead of the `v-html` attributeJS-0693Detected non-null assertion in locations that may be confusingJS-0318Avoid having duplicate attributesJS-0610Deprecation of `is` attribute on HTML elementsJS-0649Deprecation of inline-template attributeJS-0650Require control the display of the content inside `<transition>`JS-0659Found duplicate properties in `Object` annotationsJS-0483Avoid typos when naming methods defined on the scope objectJS-0513Prefer to use `$window` instead of `window`JS-0569Found `this` keyword outside of classesJS-B002Prevent assigning modules to variablesJS-0515Use of controllers is discouragedJS-0525Avoid usage of deprecated `$http` methods `success()` and `error()`JS-0532Avoid using angular properties prefixed with `$$`JS-0516Found empty controllersJS-0524Found impure pipesJS-0575Use one component per fileJS-0517Deprecated directive replace propertyJS-0531Unittest `inject` functions should only consist of assignments from injected values to describe block variablesJS-0546Use `angular.forEach` instead of native `Array.prototype.forEach`JS-0556Prefer to use `angular.isString` instead of `typeof` comparisonsJS-0568Check for common misspellings of `$on(‘destroy’, …)` for angularJS-0570Prefer `Session.equals` in conditionsJS-0732Found `key` of `<template v-for>` on childJS-V002Unused expressions foundJS-B003Invalid `ref` as operandJS-V004Invalid `watch` functionJS-V007Invalid calls after `await`JS-V014Detected wrapping of angular.element objects with jQuery or $JS-0561Avoid direct use of `this` in controllersJS-0519`<a>` tag used without a `Link` componentJS-W1014Avoid using `process.server`, `process.client` and `process.browser` in client side hooksJS-E1000Avoid using `window/document` in `created/beforeCreate` hooksJS-E1001`next/document` import detected outside of `pages/_document.js`JS-E1002`next/head` import detected in `pages/_document.js`JS-E1003Avoid using `this` in `asyncData` and `fetch` hooksJS-W1011Avoid using `setTimeout/setInterval` in `asyncData/fetch`JS-W1012Avoid using deprecated or outdated librariesJS-S1005Use of deprecated `context` methods detectedJS-W1008Disable `X-POWERED-BY` HTTP headerJS-S1004Found import declaration with no export nameJS-E1007Found mutable exportsJS-E1009Found unresolved module being referenced in import statementsJS-E1010Use of comma or logical OR operators in switch casesJS-W1030Avoid having repeated named exports or default exportsJS-E1004Void operators foundJS-0098Use `for-of` loop for arrayJS-0361Disallow unnecessary route `path` optionJS-0809Require a name property in Vue componentsJS-0720Disallow the use of reserved names in component definitionsJS-0707Disallow unused propertiesJS-0715Disallow unnecessary `v-bind` directivesJS-0717Prefer not to use labels that share a name with a variableJS-0121Should not use `needs` to load other controllersJS-0770Detected empty functionsJS-0321Prefer event handler naming conventions in JSXJS-0411Prefer the use of `$ReadOnlyArray` instead of `Array`JS-0487Found unnecessary escape charactersJS-0097Inconsistent font-display for Google FontsJS-W1009Found division operators explicitly at the beginning of regular expressionsJS-0055Require `$on` and `$watch` deregistration callbacks to be saved in a variableJS-0529Disallow unnecessary mustache interpolationsJS-0716Prefer not to declare variables in global scopeJS-0067Prefer not to extend native typesJS-0061Validation of JSX maximum depthJS-0415Found unused expressionsJS-0093Local variable name shadows variable in outer scopeJS-0123Usage of comma operators should be avoidedJS-0090Consider using arrow functions for callbacksJS-0241Detected the `delete` operator with computed key expressionsJS-0320Getter without a setter pair in objectsJS-0041Use shorthand property syntax for object literalsJS-0240Prefer the usage of regular expression literals over the `RegExp` constructorJS-0115Detected the use of `alert`, `confirm` and `prompt`JS-0052`arguments.caller` or `arguments.callee` should not be usedJS-0053Unnecessary calls to `.bind()`JS-0062Found leading or trailing decimal points in numeric literalsJS-0065The use of the `__iterator__` property is not preferredJS-0070Found labeled statementsJS-0071Found some unnecessary nested blocksJS-0072Found `new` operators with the `String`, `Number` and `Boolean` ObjectsJS-0080Usage of octal escape sequences in string literals is not preferredJS-0082Assignment operators should not be used in return statementsJS-0086Inconsistent use of the radix argument when using `parseInt()`JS-0101Prefer var declarations be placed at the top of their scopeJS-0102Class methods should utilize `this`JS-0105Prefer grouped accessor pairs in object literals and classesJS-0107`async function` should have `await` expressionJS-0116Prefer adding `u` flag in regular expressionsJS-0117Found `undefined` as an IdentifierJS-0127Module imported is not necessaryJS-0234Found unnecessary computed property keys in object literalsJS-0236Found unnecessary constructorsJS-0237Found redundant naming for modulesJS-0238Require rest parameters instead of argumentsJS-0244Require template literals instead of string concatenationJS-0246Use sorted import declarations within modulesJS-0249Require symbol descriptionJS-0250Detected usage of void type outside of generic or return typesJS-0333Detected throwing literals as exceptionsJS-0343Detected a namespace qualifier is unnecessaryJS-0347Found interfaces with call signaturesJS-0362Use type parameter when calling `Array#reduce`JS-0369Exhaustiveness checking in switch with union typeJS-0383Unnecessary calls to `.call()` and `.apply()` foundJS-0095Unnecessary `catch` clauses foundJS-0112Use `const` declarations for variables that are never reassignedJS-0242Detected generic Array constructorsJS-0316`.toString()` is only called on objects which provide useful information when stringifiedJS-0317Found unused expressions in TypeScript codeJS-0354Prefer using self closing instead of closing tag for components having no childrenJS-0468Avoid using `this` in stateless functional componentsJS-0452Definitions for unused `propTypes` detectedJS-0457Definitions for unused states detectedJS-0458Prefer state initialization styleJS-0471Ensure `style` attribute is an `Object`JS-0473Either all code paths should have explicit returns, or none of themJS-0045Found shorthand type coercionsJS-0066Unnecessary concatenation of literals or template literals foundJS-0096`eval()`-like methods should not be usedJS-0068Use `String#startsWith` and `String#endsWith`JS-0371Invalid `async` keywordJS-0376Detected unnecessary constructorsJS-0358Found magic numbersJS-0074Prefer consistent naming for boolean propsJS-0389No default cases in switch statementsJS-0047Prefer that `for-in` loops should include an `if` statementJS-0051Found unnecessary `else` blocksJS-0056Found empty functionsJS-0057Unnecessary labelsJS-0063Assignments to native objects or read-only global variables is not preferredJS-0077The usage of `javascript:` urls is not recommendedJS-0087Found warning comments in codeJS-0099Usage of `strict` mode against recommended approachJS-0118Initialization in variable declarations against recommended approachJS-0119Variables should not be initialized to `undefined`JS-0126Require spread operators instead of .apply()JS-0245Consider using dot notationJS-0303Detected unnecessary equality comparisons against boolean literalsJS-0345Bad function overloadingJS-0388Prefer boolean attributes notation in JSXJS-0400Prefer shorthand form for react fragmentsJS-0410Consider Using `PascalCase` for user-defined JSX componentsJS-0426Avoid using spreading operator for JSX propsJS-0428Found invalid `v-bind` directiveJS-0628Prefer having synchronous computed propertiesJS-0607Found invalid `v-else-if` directivesJS-0631Should have valid `v-is` directivesJS-0661Should have order of component top-level elementsJS-0690Should have inheritAttrs to be set to false when using v-bind=`$attrs`JS-0703Disallow the `<template>` `<script>` `<style>` block to be emptyJS-0704Disallow using components that are not registered inside templatesJS-0713The usage of `__proto__` property is not recommendedJS-0084Disallow to pass multiple arguments to scoped slotsJS-0692Should not use Arrow functionsJS-0774Should not use `.on()`JS-0800Migrate `ember-data` to `@ember-data`JS-0818Incorrect computed macrosJS-0789Avoid using `this.attrs` to denote propertiesJS-0776Deprecation of `scope` attributeJS-0651Use valid `lang` value on `html` attributeJS-0753Duplication of field names is not allowedJS-0608Should not use ObserversJS-0798Don't use constructs or configuration that use the restricted resolver in testsJS-0803Don't use Ember's `function` prototypeJS-0784Disallow variable declarations from shadowing variables declared in the outer scopeJS-0679Should not use `pauseTest()` in testsJS-0801Found usage of deprecated `get/getProperties` on Ember ObjectsJS-0786Disallow specific attributeJS-0709Require emits option with name triggered by `$emit()`JS-0688Should not use `getWithDefault`JS-0785Missing `_super` in `init` lifecycle hooksJS-0815Don't use import paths from `ember-cli-shims`JS-0799Throwing literals as exceptions is not recommendedJS-0091Default parameters should be defined at the lastJS-0106Prefer Ember test helpersJS-0811Props are not `read-only`JS-0461Prefer having type alias for all union and intersection typesJS-0493Avoid the usage of primitive constructor typesJS-0488Prefer using exact object typesJS-0494Require inexact object typesJS-0496Use `v-bind:is` in `<component>` elementsJS-0620Prefer using `kebab-case` for custom event namesJS-0605Prefer function as component's `data` propertyJS-0614Found mustaches in `<textarea>`JS-0617Found unused registered components in templatesJS-0618Avoid using `v-if` on the same element as `v-for`JS-0619Found invalid `v-else` directivesJS-0632Invalid use of test waitersJS-0792Prefer each component to be in its own fileJS-0680Require type definitions in propsJS-0683Prefer default value for propsJS-0682Disallow specific component optionJS-0708Should not use `component#sendAction`JS-0771Don’t use jQuery without the Ember Run LoopJS-0772Should not use assignment on untracked propertyJS-0775Should not use `attrs` in ember hooksJS-0777Should not use controller in routesJS-0779Avoid using `@each` in deeply nested computed propertyJS-0780`Ember.testing` not allowed in modules scopeJS-0783Incorrect calls with inline anonymous functionsJS-0788Invalid Dependent KeysJS-0791Should not use mixinsJS-0795Do not use global `$` or `jQuery`JS-0787Should not use `setupOnerror` in `before`/`beforeEach`JS-0797Should use `async/await`JS-0805No importing of test filesJS-0806Use `module` instead of `moduleFor`JS-0807Should not use Volatile Computed PropertiesJS-0810Should use computed macrosJS-0812Always return a value from a computed property functionJS-0814Use `render`/`clearRender` instead of `this.render`/`this.clearRender`JS-0808Should use snake case for dynamic route segmentsJS-0816Indexers must be declared with key nameJS-0495Avoid using arrow functions to define watcherJS-0606Deprecation of `slot` attributeJS-0652Disallow specific argument in `v-bind`JS-0710Should not use arrays and Objects as default propertiesJS-0819Prefer having a consistent component name patternJS-0538Require and specify a prefix for all controller namesJS-0535Require and specify a prefix for all value namesJS-0543Specify a consistent function style for componentsJS-0547Inconsistent order of module dependenciesJS-0548Use `angular.isDefined` and `angular.isUndefined` instead of other undefined checksJS-0554Found `ViewEncapsulation.None`JS-0593Missing component selectorJS-0592Require DI parameters to be sorted alphabeticallyJS-0544Prefer using the `$log` service instead of the console methodsJS-0559Found unused dependency injection parametersJS-0522Avoid using deprecated template lifecycle callback assignmentsJS-0728Found DI of specified servicesJS-0528Invalid restrict option for directiveJS-0523Prefer using `angular.isNumber` instead of `typeof` comparisonsJS-0566Prefer the use of `===` and `!==` over `==` and `!=`JS-V009Use reference modules with the getter syntaxJS-0514Use `angular.element` instead of `$` or `jQuery`JS-0553Use `$document` instead of `document`JS-0555Specify consistent use of `$scope.digest()` or `$scope.apply()`JS-0552Cyclomatic complexity is more than allowed for the templateJS-0590Ensure `controllerAs` syntax in routes or statesJS-0518Avoid assignments to `$scope` in controllersJS-0520Found complex run functionsJS-0527Prefer having a prefix for all component namesJS-0533Specify a prefix for all constant namesJS-0534Prefer having a prefix for all directive namesJS-0536Prefer having a prefix for all factory namesJS-0537Prefer having a prefix for all filter namesJS-0539Prefer having a prefix for all module namesJS-0540Require and specify a prefix for all provider namesJS-0541Require and specify a prefix for all service namesJS-0542use `factory()` instead of `service()`JS-0549Require all DI parameters to be located in their own lineJS-0550Specify one of '$http', '$resource', 'Restangular'JS-0551Use `$interval` instead of `setInterval`JS-0557Consider using `ofangular.fromJson` and `angular.toJson`JS-0558`angular.mock` method can be used directlyJS-0560Prefer using `$timeout` instead of `setTimeout`JS-0562Prefer to use `angular.isArray` instead of `typeof` comparisonsJS-0563Prefer to use `angular.isFunction` instead of `typeof` comparisonsJS-0565Prefer to use `angular.isObject` instead of `typeof` comparisonsJS-0567`@Attribute` decorator should not be usedJS-0572Prevent explicit calls to lifecycle methodsJS-0573Missing `ChangeDetectionStrategy.OnPush` for angular codebaseJS-0576Missing `providedIn` propertyJS-0579Disallows usage of forwardRefJS-0583Disallowed prefix for input namesJS-0584Missing `@Pipe` decoratorJS-0594Prefer using `Meteor.defer` over `Meteor.setTimeout`JS-0729Should have check on all arguments of methods and publish functionsJS-0726Should not use global `$()` JqueryJS-0734Prevent DOM lookup in template `onCreated` callbackJS-0735Require template literals instead of string concatenationJS-V011Require a consistent DI syntaxJS-0545Prefer to use `angular.isDate` instead of `typeof` comparisonsJS-0564Prefer to use dot notation whenever possibleJS-V008Avoid use of inline HTML templatesJS-0526Missing `readonly` for `@Output`JS-0588Should not use template `parentData()`JS-0736Should not use global `Session`JS-0727Found anonymous functionsJS-D004Avoid using multiline stringsJS-C1000Documentation comments not found for functions and classesJS-D1001Avoid using on commonjs in `nuxt.config.js`JS-W1007Duplicate `polyfills` from `Polyfill.io`JS-P1002Found disabled `EXPECT-CT` HeaderJS-S1006Found invalid css selector in test helpersJS-W1004Consider using `preconnect` with Google FontsJS-W1010Avoid using the `<img>` tagJS-W1015Synchronous script loading detectedJS-W1017Avoid using `<title>` with `Head` from `next/document`JS-W1018Avoid adding stylesheet manuallyJS-W1021Multiple `<Head>` detected in `pages/document.js`JS-W1023Bad collection size comparisonJS-W1031Avoid using `settled()` after `ember-test-helpers`JS-P1000Found empty glimmer component classesJS-P1001Found deprecated function `tryInvoke()`JS-W1001Found duplicate routing pathsJS-W1002Found deprecated Ember string prototype extensive methodsJS-W1003Avoid using `currentRouteName()` test helperJS-W1005Using `fetch()` without importing moduleJS-W1006Found unsafe method `htmlSafe()`JS-S1007Found unnecessarily complex import statementJS-C1001Use shorthand promise methodsJS-C1004Found multiple import of the same pathJS-R1000Intersection or union definition have duplicate typesJS-T1000Use default imports for only default exportsJS-W1028Found usage of deprecated nameJS-W1029Avoid using wildcard importsJS-C1003Found single char variable nameJS-C1002Found usage of exported name as property of default importJS-P1003Self import detectedJS-R1001Optional property in interface has an 'undefined' typeJS-T1001Function with cyclomatic complexity higher than thresholdJS-R1005
JavaScript logoJavaScript/
JS-A1005

Audit: Unsanitized external input passed to a templating engine is prone to vulnerabilitiesJS-A1005

Critical severityCritical
Security categorySecurity
a03, 2021, sans-top-25, owasp-top-10, cwe-94

Using unsanitized external inputs with templating engines can lead to Local File Inclusion (LFI) or Remote Code Execution (RCE) attacks.

A specific scenario where such a vulnerability could occur is with the use of ExpressJS in conjunction with Handlebars templating engine. When an externally supplied object is directly passed to the render method to define local variables for the view, an attacker can add a property called as layout to the object, which would allow them to load any local file specified by the layout property.

A recommended way to avert this potential security risk would be to construct the local variables object for the view at the server side or sanitize the externally supplied value before using it with a templating engine.

Bad Practice

const express = require('express');
const app = express();
app.set('view engine', 'hbs');

app.post('/', (req, res) => {
    const options = req.body.params;
    res.render('home', options); // options can have the `layout` property
});

const express = require('express');
const app = express();
app.set('view engine', 'hbs');

app.post('/', (req, res) => {
    const options = req.body.params;
    res.render('home', {
      name: options.name, // construct the object with only the required properties
      title: options.title
    });
});

References