/** * @fileoverview Restrict or warn use of v-html to prevent XSS attack * @author Nathan Zeplowitz */ 'use strict' const utils = require('../utils') module.exports = { meta: { type: 'suggestion', docs: { description: 'disallow use of v-html to prevent XSS attack', categories: ['vue3-recommended', 'vue2-recommended'], url: 'https://eslint.vuejs.org/rules/no-v-html.html' }, fixable: null, schema: [], messages: { unexpected: "'v-html' directive can lead to XSS attack." } }, /** @param {RuleContext} context */ create(context) { return utils.defineTemplateBodyVisitor(context, { /** @param {VDirective} node */ "VAttribute[directive=true][key.name.name='html']"(node) { context.report({ node, loc: node.loc, messageId: 'unexpected' }) } }) } }