no-angular-bypass-sanitizer
Disallow Angular DomSanitizer bypass APIs that trust unvalidated content.
Targeted pattern scopeโ
This rule targets direct calls to Angular sanitizer bypass APIs such as:
bypassSecurityTrustHtml(...)bypassSecurityTrustScript(...)- related
bypassSecurityTrust*methods.
What this rule reportsโ
This rule reports code paths that mark untrusted input as safe using
DomSanitizer bypass helpers.
Why this rule existsโ
Bypassing Angular sanitization can convert attacker-controlled input into trusted content and increase XSS risk.
โ Incorrectโ
const trusted = sanitizer.bypassSecurityTrustHtml(userSuppliedHtml);
elementRef.nativeElement.innerHTML = trusted;
โ Correctโ
const sanitizedHtml = sanitizer.sanitize(
SecurityContext.HTML,
userSuppliedHtml
);
elementRef.nativeElement.textContent = sanitizedHtml ?? "";
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-angular-bypass-sanitizer": "error",
},
},
];
When not to use itโ
Disable this rule only when a reviewed framework integration requires a trusted type flow and the source is strictly controlled.
Package documentationโ
Further readingโ
Rule catalog ID: R001