{"id":19859,"library":"eslint-plugin-no-unsanitized","title":"eslint-plugin-no-unsanitized","description":"ESLint plugin to disallow unsafe coding practices like direct assignments to innerHTML or calls to insertAdjacentHTML without sanitization. Developed by Mozilla, it supports ESLint 9 and 10 (v4.x), and the Sanitizer API. Key differentiators: focuses on security, requires tagged template literals for escaping, and has two rules (method and property).","status":"active","version":"4.1.5","language":"javascript","source_language":"en","source_url":"https://github.com/mozilla/eslint-plugin-no-unsanitized/issues","tags":["javascript","eslint","eslint-plugin","eslintplugin","lint","sanitize","innerHTML","security"],"install":[{"cmd":"npm install eslint-plugin-no-unsanitized","lang":"bash","label":"npm"},{"cmd":"yarn add eslint-plugin-no-unsanitized","lang":"bash","label":"yarn"},{"cmd":"pnpm add eslint-plugin-no-unsanitized","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"required peer dependency; works with ESLint ^9 or ^10","package":"eslint","optional":false}],"imports":[{"note":"ESM-only since v4. Flat config only.","wrong":"const nounsanitized = require('eslint-plugin-no-unsanitized')","symbol":"default","correct":"import nounsanitized from 'eslint-plugin-no-unsanitized'"},{"note":"Access via default import; no named export for configs.","wrong":"require('eslint-plugin-no-unsanitized').configs.recommended","symbol":"configs.recommended","correct":"import nounsanitized from 'eslint-plugin-no-unsanitized'; ... nounsanitized.configs.recommended"},{"note":"The plugin object is keyed as 'nounsanitized' in flat config; rules are prefixed with 'nounsanitized/'","wrong":"plugins: { 'no-unsanitized': nounsanitized }","symbol":"plugins","correct":"plugins: { nounsanitized }"}],"quickstart":{"code":"import nounsanitized from 'eslint-plugin-no-unsanitized';\n\nexport default [\n  nounsanitized.configs.recommended,\n  {\n    rules: {\n      'nounsanitized/method': 'error',\n      'nounsanitized/property': 'error'\n    }\n  }\n];\n","lang":"javascript","description":"Shows how to enable both rules using flat config (ESLint >=9)."},"warnings":[{"fix":"Migrate to flat config using `import nounsanitized from 'eslint-plugin-no-unsanitized'` and spread `nounsanitized.configs.recommended`.","message":"v4 dropped support for eslintrc (legacy) config format. Only flat config is supported.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Upgrade ESLint to version 9 or 10.","message":"v4 requires ESLint ^9.0.0; no longer works with ESLint <9.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Use `import nounsanitized from 'eslint-plugin-no-unsanitized'` and reference rules as 'nounsanitized/...'.","message":"In v3 and earlier, the plugin was imported via require and rules referenced as 'no-unsanitized/...'. This pattern is deprecated in v4.","severity":"deprecated","affected_versions":"<4.0.0"},{"fix":"Use `escapeHTML` tagged template syntax: `escapeHTML`userInput` or `Sanitizer.escapeHTML`userInput``.","message":"The plugin only allows sanitization via tagged template literals with `Sanitizer.escapeHTML` or `escapeHTML`. Other escaping functions are not recognized.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"To allow `setHTMLUnsafe`, set `'nounsanitized/method': ['error', { allowSafe: false }]` or similar custom config.","message":"Calling `setHTMLUnsafe` is disallowed by default since v4.1.0 unless configured otherwise.","severity":"gotcha","affected_versions":">=4.1.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Ensure correct import: `import nounsanitized from 'eslint-plugin-no-unsanitized'` and add to plugins object.","cause":"Missing plugin in flat config; using legacy require or incorrect plugin object.","error":"ESLint couldn't find the plugin \"eslint-plugin-no-unsanitized\"."},{"fix":"Use prefix 'nounsanitized/' instead: `'nounsanitized/method': 'error'`.","cause":"Using legacy rule prefix 'no-unsanitized/' in flat config v4.","error":"Definition for rule 'no-unsanitized/method' was not found."},{"fix":"Install with 'npm install --save-dev eslint-plugin-no-unsanitized' and use ESM import syntax.","cause":"Plugin not installed or used in CommonJS environment without default import.","error":"Cannot find module 'eslint-plugin-no-unsanitized'"},{"fix":"Migrate to flat config: import plugin and spread its configs.recommended.","cause":"Using legacy eslintrc extends in ESLint 9+ with flat config.","error":"Failed to load config \"plugin:no-unsanitized/recommended-legacy\""}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}