The plugin provides pre-configured rule sets and comprehensive configuration options for easy ESLint integration. It supports both modern flat config and legacy eslintrc configuration formats.
The main plugin export containing rules, configurations, and metadata.
/**
* Main ESLint plugin export
*/
const plugin = {
meta: {
name: "eslint-plugin-no-unsanitized",
version: string // Dynamically loaded from package.json
},
rules: {
property: ESLintRule, // Property assignment validation rule
method: ESLintRule // Method call validation rule
},
configs: {
recommended: FlatConfig, // Modern flat config format
"recommended-legacy": LegacyConfig, // Legacy eslintrc format
DOM: DeprecatedConfig // Deprecated, use recommended-legacy
}
};Modern configuration format for ESLint's flat config system.
interface FlatConfig {
plugins: {
"no-unsanitized": ESLintPlugin;
};
rules: {
"no-unsanitized/property": "error";
"no-unsanitized/method": "error";
};
}
// Usage
import nounsanitized from "eslint-plugin-no-unsanitized";
export default [nounsanitized.configs.recommended];Traditional configuration format for .eslintrc files.
interface LegacyConfig {
plugins: ["no-unsanitized"];
rules: {
"no-unsanitized/property": "error";
"no-unsanitized/method": "error";
};
}
// Usage in .eslintrc.json
{
"extends": ["plugin:no-unsanitized/recommended-legacy"]
}Legacy configuration maintained for backward compatibility with deprecation warning.
// Deprecated: Use recommended-legacy instead
const DOMConfig = {
get() {
console.log(
'The "DOM" configuration of the "no-unsanitized" plugin is deprecated. Use "recommended-legacy" instead.'
);
return this["recommended-legacy"];
},
enumerable: true
};Both rules support extensive configuration options for customizing security policies.
// Complete rule configuration schema
interface ESLintRuleConfiguration {
"no-unsanitized/property": PropertyRuleConfig;
"no-unsanitized/method": MethodRuleConfig;
}
interface PropertyRuleConfig {
[0]: "error" | "warn" | "off";
[1]?: PropertyRuleOptions; // Optional first config object
[2]?: PropertyCustomRules; // Optional second config object for custom rules
}
interface MethodRuleConfig {
[0]: "error" | "warn" | "off";
[1]?: MethodRuleOptions; // Optional first config object
[2]?: MethodCustomRules; // Optional second config object for custom rules
}
// First configuration object (rule options)
interface PropertyRuleOptions {
escape?: EscapeConfiguration;
variableTracing?: boolean;
}
interface MethodRuleOptions {
defaultDisable?: boolean; // Disable all default rule checks
escape?: EscapeConfiguration;
objectMatches?: string[]; // Global object matching patterns
properties?: number[]; // Global parameter indices to check
variableTracing?: boolean;
}
interface EscapeConfiguration {
taggedTemplates?: string[]; // Allowed tagged template functions
methods?: string[]; // Allowed escaping methods
}
// Second configuration object (custom rule definitions)
interface PropertyCustomRules {
[propertyName: string]: PropertyRuleCheck;
}
interface MethodCustomRules {
[methodName: string]: MethodRuleCheck;
}
interface PropertyRuleCheck {
escape?: EscapeConfiguration; // Override escape functions for this property
}
interface MethodRuleCheck {
properties: number[]; // Required: parameter indices to validate
objectMatches?: string[]; // Object matching patterns for this method
escape?: EscapeConfiguration; // Override escape functions for this method
}Usage Examples:
// Basic usage with recommended config
import nounsanitized from "eslint-plugin-no-unsanitized";
export default [nounsanitized.configs.recommended];
// Custom configuration with additional escape functions
export default [
{
files: ["**/*.js"],
plugins: { "no-unsanitized": nounsanitized },
rules: {
"no-unsanitized/property": ["error", {
escape: {
taggedTemplates: ["html", "escapeHTML", "Sanitizer.escapeHTML"],
methods: ["sanitize", "escapeHTML", "Sanitizer.unwrapSafeHTML"]
},
variableTracing: true
}],
"no-unsanitized/method": ["error", {
escape: {
taggedTemplates: ["html", "escapeHTML"],
methods: ["sanitize", "escapeHTML"]
},
objectMatches: ["document", "window.document"],
variableTracing: true
}]
}
}
];
// Legacy eslintrc configuration
{
"plugins": ["no-unsanitized"],
"rules": {
"no-unsanitized/property": ["error", {
"escape": {
"taggedTemplates": ["html", "escapeHTML"],
"methods": ["sanitize"]
}
}]
}
}
// Disable specific rules
{
"rules": {
"no-unsanitized/property": "off",
"no-unsanitized/method": "warn"
}
}
// Advanced configuration with custom rule definitions
export default [
{
files: ["**/*.js"],
plugins: { "no-unsanitized": nounsanitized },
rules: {
"no-unsanitized/method": ["error",
{
// Disable all default checks
defaultDisable: true,
escape: {
taggedTemplates: ["safeHTML"]
}
},
{
// Custom method: check first parameter of html() function
html: {
properties: [0]
}
}
],
"no-unsanitized/property": ["error",
{
escape: {
taggedTemplates: ["safeHTML"]
}
},
{
// Custom property: check innerHTML only on document objects
innerHTML: {
objectMatches: ["document.*"]
}
}
]
}
}
];
// Variable tracing configuration
{
"rules": {
"no-unsanitized/property": ["error", {
"variableTracing": false // Disable variable back-tracing
}],
"no-unsanitized/method": ["error", {
"variableTracing": true // Enable variable back-tracing (default)
}]
}
}The plugin recognizes these escape functions by default:
const DEFAULT_ESCAPE_FUNCTIONS = {
taggedTemplates: [
"Sanitizer.escapeHTML",
"escapeHTML"
],
methods: [
"Sanitizer.unwrapSafeHTML",
"unwrapSafeHTML"
]
};The plugin integrates seamlessly with ESLint's rule system:
// Plugin metadata
interface PluginMeta {
name: "eslint-plugin-no-unsanitized";
version: string; // Version from package.json
}
// Rule structure follows ESLint conventions
interface ESLintRule {
meta: {
type: "problem";
docs: {
description: string;
category: string;
url: string;
};
schema: JSONSchemaArray;
};
create(context: ESLintRuleContext): RuleVisitor;
}