diff --git a/docs/rules/unescaped-html-literal.md b/docs/rules/unescaped-html-literal.md
index 6f08bc3b..3afc4c70 100644
--- a/docs/rules/unescaped-html-literal.md
+++ b/docs/rules/unescaped-html-literal.md
@@ -8,7 +8,7 @@
Constructing raw HTML with string literals is error prone and may lead to security issues.
-Instead use [`lit-html`](https://github.com/Polymer/lit-html)'s `html` tagged template literal to safely construct HTML literal strings. Alternatively, you can use document builder APIs like `document.createElement`.
+Instead use [`lit-html`](https://github.com/Polymer/lit-html)'s `html` tagged template literal to safely construct HTML literal strings. Alternatively, you can implement your own `html` tagged template literal function, or use document builder APIs like `document.createElement`.
👎 Examples of **incorrect** code for this rule:
diff --git a/lib/rules/unescaped-html-literal.js b/lib/rules/unescaped-html-literal.js
index d8a7c6fd..fb6c8dc4 100644
--- a/lib/rules/unescaped-html-literal.js
+++ b/lib/rules/unescaped-html-literal.js
@@ -15,7 +15,7 @@ export default {
},
create(context) {
- const htmlOpenTag = /^<[a-zA-Z]/
+ const htmlOpenTag = /^\s*<[a-zA-Z]/
return {
Literal(node) {
diff --git a/tests/unescaped-html-literal.js b/tests/unescaped-html-literal.js
index f9b66ef7..6f8ccb95 100644
--- a/tests/unescaped-html-literal.js
+++ b/tests/unescaped-html-literal.js
@@ -57,6 +57,16 @@ ruleTester.run('unescaped-html-literal', rule, {
},
],
},
+ {
+ code: "const helloHTML = ` \n\tHello ${name}!
`",
+ parserOptions: {ecmaVersion: 2017},
+ errors: [
+ {
+ message: 'Unescaped HTML literal. Use html`` tag template literal for secure escaping.',
+ type: 'TemplateLiteral',
+ },
+ ],
+ },
{
code: 'const helloHTML = foo`Hello ${name}!
`',
parserOptions: {ecmaVersion: 2017},