no-angular-bypass-security-trust-html

Disallow Angular bypassSecurityTrustHtml usage that marks unvalidated HTML as trusted.

Targeted pattern scope

Angular DomSanitizer bypass APIs for HTML trust.

What this rule reports

Calls to bypassSecurityTrustHtml(...).

Why this rule exists

Bypassing Angular sanitization for HTML can introduce XSS if values are not strictly validated.

❌ Incorrect

const trusted = sanitizer.bypassSecurityTrustHtml(userHtml);

✅ Correct

const trusted = sanitizer.sanitize(SecurityContext.HTML, userHtml);

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-angular-bypass-security-trust-html": "error",
  },
 },
];

When not to use it

Disable only if a reviewed framework boundary must return trusted HTML and the source is strictly validated before trust conversion.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​