Sync with template-lint

Author: NullVoxPopuli

docs/rules/template-no-triple-curlies.md

@@ -2,61 +2,26 @@
 
 <!-- end auto-generated rule header -->
 
-Disallows usage of triple curly brackets (unescaped output) in templates.
-
-Triple curly brackets (`{{{ }}}`) render unescaped HTML, which can lead to XSS (Cross-Site Scripting) vulnerabilities if user input is not properly sanitized.
-
-## Rule Details
-
-This rule disallows the use of triple curly brackets for unescaped output. If you need to render HTML, use the `htmlSafe` helper or `SafeString` API with proper sanitization.
+Usage of triple curly braces to allow raw HTML to be injected into the DOM is a large vector for exploits of your application (especially when the raw HTML is user-controllable). Instead of using `{{{foo}}}`, you should use appropriate helpers or computed properties that return a `SafeString` (via `Ember.String.htmlSafe` generally) and ensure that user-supplied data is properly escaped.
 
 ## Examples
 
-Examples of **incorrect** code for this rule:
-
-```gjs
-<template>
-  {{{this.content}}}
-</template>
-```
-
-```gjs
-<template>
-  <div>
-    {{{@htmlContent}}}
-  </div>
-</template>
-```
-
-Examples of **correct** code for this rule:
+This rule **forbids** the following:
 
 ```gjs
 <template>
-  {{this.content}}
+  {{{foo}}}
 </template>
 ```
 
-```gjs
-<template>
-  {{htmlSafe this.sanitizedContent}}
-</template>
-```
+This rule **allows** the following:
 
 ```gjs
 <template>
-  <div>{{@text}}</div>
+  {{foo}}
 </template>
 ```
 
-## When Not To Use It
-
-If you are certain that the content being rendered is already sanitized and safe, you may disable this rule. However, this is generally discouraged for security reasons.
-
-## Related Rules
-
-- [no-html-safe](./no-html-safe.md) from eslint-plugin-ember
-
 ## References
 
-- [eslint-plugin-ember template-no-triple-curlies](https://github.com/ember-cli/eslint-plugin-ember/blob/master/docs/rules/template-no-triple-curlies.md)
-- [Ember.js Security Guide](https://guides.emberjs.com/release/security/)
+- See the [documentation](https://api.emberjs.com/ember/release/functions/@ember%2Ftemplate/htmlSafe) for Ember's `htmlSafe` function

lib/rules/template-no-triple-curlies.js

@@ -5,16 +5,11 @@ module.exports = {
     docs: {
       description: 'disallow usage of triple curly brackets (unescaped variables)',
       category: 'Security',
-      recommended: false,
       url: 'https://github.com/ember-cli/eslint-plugin-ember/tree/master/docs/rules/template-no-triple-curlies.md',
       templateMode: 'both',
     },
-    fixable: null,
     schema: [],
-    messages: {
-      unsafe:
-        'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
-    },
+    messages: { unsafe: 'Usage of triple curly brackets is unsafe' },
     originallyFrom: {
       name: 'ember-template-lint',
       rule: 'lib/rules/no-triple-curlies.js',
@@ -26,8 +21,6 @@ module.exports = {
   create(context) {
     return {
       GlimmerMustacheStatement(node) {
-        // Check if the statement is unescaped (triple curlies)
-        // Use 'trusting' property (escaped is deprecated)
         if (node.trusting === true) {
           context.report({
             node,

tests/lib/rules/template-no-triple-curlies.js

@@ -5,95 +5,51 @@
 const rule = require('../../../lib/rules/template-no-triple-curlies');
 const RuleTester = require('eslint').RuleTester;
 
-//------------------------------------------------------------------------------
-// Tests
-//------------------------------------------------------------------------------
-
-const ruleTester = new RuleTester({
+const validHbs = [
+  '{{foo}}',
+  '{{! template-lint-disable no-bare-strings }}',
+  '{{! template-lint-disable }}',
+  // Upstream also treats `{{! template-lint-disable no-triple-curlies}}{{{lol}}}` as valid,
+  // but this RuleTester does not honor template-lint disable directives.
+];
+
+const invalidHbs = [
+  {
+    code: '\n {{{foo}}}',
+    output: null,
+    errors: [{ message: 'Usage of triple curly brackets is unsafe' }],
+  },
+];
+
+function wrapTemplate(entry) {
+  if (typeof entry === 'string') {
+    return `<template>${entry}</template>`;
+  }
+
+  return {
+    ...entry,
+    code: `<template>${entry.code}</template>`,
+    output: entry.output ? `<template>${entry.output}</template>` : entry.output,
+    errors: entry.errors.map(() => ({ messageId: 'unsafe' })),
+  };
+}
+
+const gjsRuleTester = new RuleTester({
   parser: require.resolve('ember-eslint-parser'),
   parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
 });
 
-ruleTester.run('template-no-triple-curlies', rule, {
-  valid: [
-    `<template>
-      {{this.content}}
-    </template>`,
-    `<template>
-      <div>{{@text}}</div>
-    </template>`,
-    `<template>
-      {{htmlSafe this.content}}
-    </template>`,
-
-    '<template>{{foo}}</template>',
-  ],
-
-  invalid: [
-    {
-      code: `<template>
-        {{{this.content}}}
-      </template>`,
-      output: null,
-      errors: [
-        {
-          message:
-            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
-          type: 'GlimmerMustacheStatement',
-        },
-      ],
-    },
-    {
-      code: `<template>
-        <div>
-          {{{@htmlContent}}}
-        </div>
-      </template>`,
-      output: null,
-      errors: [
-        {
-          message:
-            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
-          type: 'GlimmerMustacheStatement',
-        },
-      ],
-    },
-
-    {
-      code: `<template>
- {{{foo}}}</template>`,
-      output: null,
-      errors: [
-        {
-          message:
-            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
-        },
-      ],
-    },
-  ],
+gjsRuleTester.run('template-no-triple-curlies', rule, {
+  valid: validHbs.map(wrapTemplate),
+  invalid: invalidHbs.map(wrapTemplate),
 });
 
 const hbsRuleTester = new RuleTester({
   parser: require.resolve('ember-eslint-parser/hbs'),
   parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
 });
 
-hbsRuleTester.run('template-no-triple-curlies (hbs)', rule, {
-  valid: [
-    '{{foo}}',
-    '{{! template-lint-disable no-bare-strings }}',
-    '{{! template-lint-disable }}',
-  ],
-  invalid: [
-    {
-      code: '\n {{{foo}}}',
-      output: null,
-      errors: [
-        {
-          message:
-            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
-        },
-      ],
-    },
-  ],
+hbsRuleTester.run('template-no-triple-curlies', rule, {
+  valid: validHbs,
+  invalid: invalidHbs,
 });