Skip to main content

no-msapp-exec-unsafe

Disallow MSApp.execUnsafeLocalFunction calls that bypass script safety checks.

Targeted pattern scopeโ€‹

This rule targets MSApp.execUnsafeLocalFunction(...) usage.

What this rule reportsโ€‹

This rule reports direct calls to unsafe local function execution wrappers.

Why this rule existsโ€‹

This API bypasses platform script injection protections and can allow unsafe DOM or script execution.

โŒ Incorrectโ€‹

MSApp.execUnsafeLocalFunction(() => {
element.innerHTML = userSuppliedHtml;
});

โœ… Correctโ€‹

element.textContent = userSuppliedHtml;

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-msapp-exec-unsafe": "error",
},
},
];

When not to use itโ€‹

Disable only for legacy Windows Store app code that is isolated and audited.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R022