no-angularjs-ng-bind-html-without-sanitize

Disallow AngularJS ng-bind-html usage when sanitization is not explicit.

Targeted pattern scope

AngularJS templates using ng-bind-html without explicit sanitize context.

What this rule reports

ng-bind-html usage in template strings that do not indicate sanitize support.

Why this rule exists

Unsafe HTML binding in AngularJS can lead to reflected or stored XSS.

❌ Incorrect

const template = `<div ng-bind-html="unsafeHtml"></div>`;

✅ Correct

const template = `<div ng-bind-html="trustedHtml" ngSanitize></div>`;

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-angularjs-ng-bind-html-without-sanitize": "error",
  },
 },
];

When not to use it

Disable only if the project has explicit AngularJS sanitization controls and a reviewed HTML trust pipeline.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​