eslint-plugin-no-unsanitized

4.1.5 verified Sat Apr 25 auth: no javascript

ESLint plugin to disallow unsafe coding practices like direct assignments to innerHTML or calls to insertAdjacentHTML without sanitization. Developed by Mozilla, it supports ESLint 9 and 10 (v4.x), and the Sanitizer API. Key differentiators: focuses on security, requires tagged template literals for escaping, and has two rules (method and property).

Common errors

error ESLint couldn't find the plugin "eslint-plugin-no-unsanitized". ↓

cause Missing plugin in flat config; using legacy require or incorrect plugin object.

fix

Ensure correct import: import nounsanitized from 'eslint-plugin-no-unsanitized' and add to plugins object.

error Definition for rule 'no-unsanitized/method' was not found. ↓

cause Using legacy rule prefix 'no-unsanitized/' in flat config v4.

fix

Use prefix 'nounsanitized/' instead: 'nounsanitized/method': 'error'.

error Cannot find module 'eslint-plugin-no-unsanitized' ↓

cause Plugin not installed or used in CommonJS environment without default import.

fix

Install with 'npm install --save-dev eslint-plugin-no-unsanitized' and use ESM import syntax.

error Failed to load config "plugin:no-unsanitized/recommended-legacy" ↓

cause Using legacy eslintrc extends in ESLint 9+ with flat config.

fix

Migrate to flat config: import plugin and spread its configs.recommended.

Warnings

breaking v4 dropped support for eslintrc (legacy) config format. Only flat config is supported. ↓

fix Migrate to flat config using `import nounsanitized from 'eslint-plugin-no-unsanitized'` and spread `nounsanitized.configs.recommended`.

breaking v4 requires ESLint ^9.0.0; no longer works with ESLint <9. ↓

fix Upgrade ESLint to version 9 or 10.

deprecated In v3 and earlier, the plugin was imported via require and rules referenced as 'no-unsanitized/...'. This pattern is deprecated in v4. ↓

fix Use `import nounsanitized from 'eslint-plugin-no-unsanitized'` and reference rules as 'nounsanitized/...'.

gotcha The plugin only allows sanitization via tagged template literals with `Sanitizer.escapeHTML` or `escapeHTML`. Other escaping functions are not recognized. ↓

fix Use `escapeHTML` tagged template syntax: `escapeHTML`userInput` or `Sanitizer.escapeHTML`userInput``.

gotcha Calling `setHTMLUnsafe` is disallowed by default since v4.1.0 unless configured otherwise. ↓

fix To allow `setHTMLUnsafe`, set `'nounsanitized/method': ['error', { allowSafe: false }]` or similar custom config.

Install

npm install eslint-plugin-no-unsanitized

yarn add eslint-plugin-no-unsanitized

pnpm add eslint-plugin-no-unsanitized

Imports

default

wrong

const nounsanitized = require('eslint-plugin-no-unsanitized')

correct

import nounsanitized from 'eslint-plugin-no-unsanitized'

ESM-only since v4. Flat config only.

configs.recommended

wrong

require('eslint-plugin-no-unsanitized').configs.recommended

correct

import nounsanitized from 'eslint-plugin-no-unsanitized'; ... nounsanitized.configs.recommended

Access via default import; no named export for configs.

plugins
wrong
```
plugins: { 'no-unsanitized': nounsanitized }
```
correct
```
plugins: { nounsanitized }
```
The plugin object is keyed as 'nounsanitized' in flat config; rules are prefixed with 'nounsanitized/'

Quickstart

Shows how to enable both rules using flat config (ESLint >=9).

import nounsanitized from 'eslint-plugin-no-unsanitized';

export default [
  nounsanitized.configs.recommended,
  {
    rules: {
      'nounsanitized/method': 'error',
      'nounsanitized/property': 'error'
    }
  }
];