On Wed, Nov 25, 2015, at 04:43 PM, Jim Porter wrote: > I'm less sympathetic to the fact that it would break our > linter, but that's probably because I think linters are a bit silly to > begin with; if you want good build-time checks that your code isn't > totally broken, you should use a compiled language and compile with > -Wall -Werror. :)
It's important to call out that eslint has transcended pure syntactic linting and is now also a very important lightweight static analysis tool that does more than avoid stylistic review nits. While jslint and maybe jshint were more biased towards finding nit-only problems, eslint finds and detects both obvious and subtle bugs in the language that we're writing everything in. For example, :freddyb's https://github.com/mozfreddyb/eslint-plugin-no-unsafe-innerhtml detects potentially unsafe uses of innerHTML. And these frequently aren't nuisance warnings[1]. The music app NGA rewrite on https://bugzilla.mozilla.org/show_bug.cgi?id=1208154 (reviewed by you ;) introduced a real violation intentionally whitelsited in xfail.list that I manually encountered while code-reading and was filed and fixed as https://bugzilla.mozilla.org/show_bug.cgi?id=1209210. Likewise, awesome rules like http://eslint.org/docs/rules/no-invalid-this can detect a case where "this" is used without using bind() or an arrow-function that is absolutely an error in call cases. While arrow functions will hopefully reduce this class of error going forward, this is a very real class of bug that has historically occurred while refactoring code. I myself have authored such buggy code and have missed such buggy code in reviews, especially in error-handling paths/edge cases that usually never occur and so may not have sufficient test coverage. Andrew 1: While one might make an argument that CSP protects us from worst-case scenarios, CSP as mitigation has been sufficiently weakened by adoption of webcomponents that pass trusted arguments via DOM attributes. These create analytical nightmares that effectively means that any innerHTML bug is once again almost as serious as if we didn't have CSP. _______________________________________________ dev-fxos mailing list [email protected] https://lists.mozilla.org/listinfo/dev-fxos
