DEPRECATED DO NOT USE

Use https://www.npmjs.com/package/eslint-plugin-no-unsanitized instead, thanks!.

No further changes are planned here

eslint-plugin-no-unescaped

Checks for the following unsafe property assignement issues in code:

no-key-assignment

  const me = "innerHTML";

This prevents key usage of variables to access unsafe properties and bypassing the enforce rule. This isn't fool proof either however should catch accidental usage of this capability.

Configure eslint like this:

  "no-unescaped/no-key-assignment": ["error", ["innerHTML"]]

enforce

  el.innerHTML = `${bad}`;

This prevents assigning variables from user input into known capabilities that are dangerous to assign to.

Configure eslint like this:

  "no-unescaped/enforce": ["error",
    {
      html: {
        taggedTemplates: ["escaped"],
        methods: ["escapeHTML"]
      },
    },
    {
      properties: {
        innerHTML: {
          type: "html"
        },
        outerHTML: {
          type: "html"
        },
      },
      methods: {
        insertAdjacentHTML: {
          type: "html",
          properties: [1]
        },
        writeln: {
          type: "html",
          properties: [0]
        },
        write: {
          type: "html",
          properties: [0]
        },
        createContextualFragment: {
          type: "html",
          properties: [0]
        }
      }
    }
  ]

The above is the default setup for the rule, the second and third argument can be ignored for the default setup.

This permits the use of tagged template strings where the function permitted is used to regulate unsafe strings and escape them.

  el.innerHTML = escaped`${bad}`;

TODO

Currently the following is considered an error, investigate if this can safely be permitted as it is a common use-case to solve template string reuse.

function escapeMe(var) {
  return `Hey check this ${var}!`;
}
el.innerHTML = escapeMe(someVar);