no-winjs-html-unsafe

Disallow unsafe WinJS HTML helpers that bypass validation.

Targeted pattern scope

This rule targets WinJS unsafe sink helpers such as:

• WinJS.Utilities.setInnerHTMLUnsafe(...)
• WinJS.Utilities.setOuterHTMLUnsafe(...)
• WinJS.Utilities.insertAdjacentHTMLUnsafe(...).

What this rule reports

This rule reports direct use of WinJS unsafe HTML insertion helpers.

Why this rule exists

Unsafe HTML helper APIs increase XSS risk when supplied with untrusted content.

❌ Incorrect

WinJS.Utilities.setInnerHTMLUnsafe(element, userSuppliedHtml);

✅ Correct

WinJS.Utilities.setInnerHTML(element, trustedTemplateHtml);

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-winjs-html-unsafe": "error",
  },
 },
];

When not to use it

Disable only for fully controlled HTML templates with an audited trust chain.

Package documentation

• Rule source

Further reading

Rule catalog ID: R027

• WinJS utilities API overview