no-angularjs-bypass-sce
Disallow AngularJS Strict Contextual Escaping (SCE) bypass operations.
Targeted pattern scopeโ
This rule targets APIs that disable or bypass SCE, including:
$sceProvider.enabled(false)$sceDelegate.trustAs(...)$sce.trustAs(...)and shorthand variants such astrustAsHtml(...).
What this rule reportsโ
This rule reports SCE bypass usage that marks values as trusted without framework sanitization.
Why this rule existsโ
SCE is a core AngularJS defense against unsafe DOM and script sinks. Bypassing it expands XSS attack surface.
โ Incorrectโ
$sceProvider.enabled(false);
const trusted = $sce.trustAsHtml(userSuppliedHtml);
โ Correctโ
// Keep SCE enabled and render untrusted data through AngularJS bindings.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-angularjs-bypass-sce": "error",
},
},
];
When not to use itโ
Disable only in tightly controlled migration paths where bypass calls are isolated and reviewed.
Package documentationโ
Further readingโ
Rule catalog ID: R003