rspec/rules/S4825/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
// === Built-in NodeJS modules ===
const http = require('http');
http.request(url, (res) => {}); // Sensitive
http.get(url, (res) => {}); // Sensitive

const https = require('https');
https.request(url, (res) => {}); // Sensitive
https.get(url, (res) => {}); // Sensitive
----

----
// === Request NodeJS module ===
const request = require('request');
// All Request methods making HTTP requests are security-sensitive and should be reviewed.
// Examples:
request(url, function (error, res, body) {}); // Sensitive
request.get(url); // Sensitive
----

----
// === Axios module ===
const axios = require('axios');
// All Axios methods making HTTP requests are security-sensitive and should be reviewed.
// Example:
axios.get(url) // Sensitive
  .then(function (res) {});
----

----
// === In browser, XMLHttpRequest ===
var xmlhttp = null;
if (window.XMLHttpRequest) {
  xmlhttp = new XMLHttpRequest(); // modern browsers
} else {
  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); // very old IE browsers
}
xmlhttp.onreadystatechange = function() {};
xmlhttp.open("GET", url, false); // Sensitive
xmlhttp.send();
----

----
// === In modern browsers, Fetch API ===
window.fetch(url) // Sensitive
  .then(function(res) {});
----

----
// === In old IE browsers, XDomainRequest ===
var xdr = new XDomainRequest();
xdr.open("GET", url);
xdr.send();
----

----
// === In browser, jQuery ===
// All jQuery methods making HTTP requests are security-sensitive and should be reviewed.
// Examples:
$.ajax({ url: url }) // Sensitive
  .done(function(data) {});
$.get(url, function(data) {}); // Sensitive
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]