Skip to main content

no-winjs-html-unsafe

Disallow unsafe WinJS HTML helpers that bypass validation.

Targeted pattern scopeโ€‹

This rule targets WinJS unsafe sink helpers such as:

  • WinJS.Utilities.setInnerHTMLUnsafe(...)
  • WinJS.Utilities.setOuterHTMLUnsafe(...)
  • WinJS.Utilities.insertAdjacentHTMLUnsafe(...).

What this rule reportsโ€‹

This rule reports direct use of WinJS unsafe HTML insertion helpers.

Why this rule existsโ€‹

Unsafe HTML helper APIs increase XSS risk when supplied with untrusted content.

โŒ Incorrectโ€‹

WinJS.Utilities.setInnerHTMLUnsafe(element, userSuppliedHtml);

โœ… Correctโ€‹

WinJS.Utilities.setInnerHTML(element, trustedTemplateHtml);

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-winjs-html-unsafe": "error",
},
},
];

When not to use itโ€‹

Disable only for fully controlled HTML templates with an audited trust chain.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R027