Disallow unescaped HTML literals (github/unescaped-html-literal)

June 30, 2025 · View on GitHub

💼 This rule is enabled in the 🔍 browser config.

Rule Details

Constructing raw HTML with string literals is error prone and may lead to security issues.

Instead use lit-html's html tagged template literal to safely construct HTML literal strings. Alternatively, you can implement your own html tagged template literal function, or use document builder APIs like document.createElement.

👎 Examples of incorrect code for this rule:

const title = `<h1>Hello ${name}!</h1>`

👍 Examples of correct code for this rule:

// good
const title = html`<h1>Hello ${name}!</h1>`

// also good
const title = document.createElement('h1')
title.textContent = `Hello ${name}!`

Version

4.3.2