From 6dccb7d0a914d4b2a341651f697494334f5d6450 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Mon, 30 Jun 2025 19:06:54 +0800 Subject: [PATCH 1/3] stricter html string check --- lib/rules/unescaped-html-literal.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rules/unescaped-html-literal.js b/lib/rules/unescaped-html-literal.js index d8a7c6fd..fb6c8dc4 100644 --- a/lib/rules/unescaped-html-literal.js +++ b/lib/rules/unescaped-html-literal.js @@ -15,7 +15,7 @@ export default { }, create(context) { - const htmlOpenTag = /^<[a-zA-Z]/ + const htmlOpenTag = /^\s*<[a-zA-Z]/ return { Literal(node) { From 008d9d53b9ad0ff8b53527935f5ee53070574ea6 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Mon, 30 Jun 2025 19:14:10 +0800 Subject: [PATCH 2/3] add test --- tests/unescaped-html-literal.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/unescaped-html-literal.js b/tests/unescaped-html-literal.js index f9b66ef7..6f8ccb95 100644 --- a/tests/unescaped-html-literal.js +++ b/tests/unescaped-html-literal.js @@ -57,6 +57,16 @@ ruleTester.run('unescaped-html-literal', rule, { }, ], }, + { + code: "const helloHTML = ` \n\t
Hello ${name}!
`", + parserOptions: {ecmaVersion: 2017}, + errors: [ + { + message: 'Unescaped HTML literal. Use html`` tag template literal for secure escaping.', + type: 'TemplateLiteral', + }, + ], + }, { code: 'const helloHTML = foo`
Hello ${name}!
`', parserOptions: {ecmaVersion: 2017}, From 131ed6d3212373b1534f92d240617e32e0877673 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Mon, 30 Jun 2025 20:52:46 +0800 Subject: [PATCH 3/3] Update unescaped-html-literal.md --- docs/rules/unescaped-html-literal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/rules/unescaped-html-literal.md b/docs/rules/unescaped-html-literal.md index 6f08bc3b..3afc4c70 100644 --- a/docs/rules/unescaped-html-literal.md +++ b/docs/rules/unescaped-html-literal.md @@ -8,7 +8,7 @@ Constructing raw HTML with string literals is error prone and may lead to security issues. -Instead use [`lit-html`](https://github.com/Polymer/lit-html)'s `html` tagged template literal to safely construct HTML literal strings. Alternatively, you can use document builder APIs like `document.createElement`. +Instead use [`lit-html`](https://github.com/Polymer/lit-html)'s `html` tagged template literal to safely construct HTML literal strings. Alternatively, you can implement your own `html` tagged template literal function, or use document builder APIs like `document.createElement`. 👎 Examples of **incorrect** code for this rule: