no-winjs-html-unsafe
Disallow unsafe WinJS HTML helpers that bypass validation.
Targeted pattern scopeโ
This rule targets WinJS unsafe sink helpers such as:
WinJS.Utilities.setInnerHTMLUnsafe(...)WinJS.Utilities.setOuterHTMLUnsafe(...)WinJS.Utilities.insertAdjacentHTMLUnsafe(...).
What this rule reportsโ
This rule reports direct use of WinJS unsafe HTML insertion helpers.
Why this rule existsโ
Unsafe HTML helper APIs increase XSS risk when supplied with untrusted content.
โ Incorrectโ
WinJS.Utilities.setInnerHTMLUnsafe(element, userSuppliedHtml);
โ Correctโ
WinJS.Utilities.setInnerHTML(element, trustedTemplateHtml);
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-winjs-html-unsafe": "error",
},
},
];
When not to use itโ
Disable only for fully controlled HTML templates with an audited trust chain.
Package documentationโ
Further readingโ
Rule catalog ID: R027