Rule proposal: Forbid `btoa` and `atob`

Question

Rule proposal: Forbid `btoa` and `atob`

fregante opened this issue a year ago · comments

Federico Brigante commented a year ago

Description

See:

In short, they don't support UTF-8

Fail

globalThis.btoa(str);
window.atob(str);
btoa(str);
atob(str)

Pass

import {base64ToString, stringToBase64} from "uint8array-extras";

base64ToString(str);
stringToBase64(str);

Additional Info

Hopefully more native methods will be available soon:

https://github.com/tc39/proposal-arraybuffer-base64

fisker Cheung · Answer 1 · Mon Oct 30 2023 00:34:46 GMT+0800 (China Standard Time)

I use btoa(unescape(encodeURIComponent('中文'))) a lot. It works for me.

Sindre Sorhus · Answer 2 · Mon Oct 30 2023 02:05:18 GMT+0800 (China Standard Time)

unescape()
Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/unescape

fisker Cheung · Answer 3 · Mon Oct 30 2023 02:06:59 GMT+0800 (China Standard Time)

I know that, but it will still be in browser forever. I prefer to use it without add dependencies.

Sindre Sorhus · Answer 4 · Mon Oct 30 2023 02:13:01 GMT+0800 (China Standard Time)

Sure, but it's still not something we should recommend in a lint rule.

The proper solution is what uint8array-extras does, which is also documented here: https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem

silverwind · Answer 5 · Fri Nov 03 2023 01:42:39 GMT+0800 (China Standard Time)

I do agree on flagging atob and btoa but maybe it should not make any module recommendations as those are subjective. I used https://www.npmjs.com/package/base-64 in the past.

Federico Brigante · Answer 6 · Fri Nov 03 2023 02:03:57 GMT+0800 (China Standard Time)

I don't know how that compares performance-wise, but that package is bigger than the whole uint8array-utils package, so maybe it should make recommendations.

silverwind · Answer 7 · Fri Nov 03 2023 02:25:12 GMT+0800 (China Standard Time)

Yeah I wouln't use it today anymore. Maybe it should link to that MDN until a new standard method arises.

silverwind · Answer 8 · Fri Nov 03 2023 02:43:34 GMT+0800 (China Standard Time)

I think https://eslint.org/docs/latest/rules/no-restricted-globals could cover at least part of this:

"no-restricted-globals": [
    "error",
    {
        "name": "atob",
        "message": "Use uint8array-extras instead"
    },
    {
        "name": "btoa",
        "message": "Use uint8array-extras instead"
    }
]

I think it will definitely match on atob, but likely not on window.atob or globalThis.atob, but I would consider that a rule bug. Assuming eslint core will stubbornly refuse to acknowledge it as a bug, I think it's worth to create a improved rule here.

Sindre Sorhus · Answer 9 · Thu May 09 2024 06:45:46 GMT+0800 (China Standard Time)

Assuming eslint core will stubbornly refuse to acknowledge it as a bug

Open an ESLint issue. I don't see why they would refuse that.

silverwind · Answer 10 · Thu May 09 2024 07:46:10 GMT+0800 (China Standard Time)

I won't, had too many bad experiences with opening issues at eslint because they always refuse any behaviour changes in their rules. At this point, I think it's better to fork and fix no-restricted-globals.

This playground confirms above issue.