vue/no-v-html

disallow use of v-html to prevent XSS attack

⚙️ This rule is included in all of "plugin:vue/recommended", *.configs["flat/recommended"], "plugin:vue/vue2-recommended" and *.configs["flat/vue2-recommended"].

📖 Rule Details

This rule reports all uses of v-html directive in order to reduce the risk of injecting potentially unsafe / unescaped html into the browser leading to Cross-Site Scripting (XSS) attacks.

Now loading...

🔧 Options

json

{
    "vue/no-v-html": ["error", {
        "ignorePattern": "^html"
    }]
}

ignorePattern ... disables reporting when the v-html directive references a variable matching this pattern. By default, all v-html uses are forbidden.

`{ "ignorePattern": "^html" }`

Now loading...

🔇 When Not To Use It

If you are certain the content passed to v-html is sanitized HTML you can disable this rule.

vue/no-v-text
vue/no-v-text-v-html-on-component

🚀 Version

This rule was introduced in eslint-plugin-vue v4.7.0

🔍 Implementation

Rule source
Test source

vue/no-v-html ​

📖 Rule Details ​

🔧 Options ​

{ "ignorePattern": "^html" } ​

🔇 When Not To Use It ​

👫 Related Rules ​

🚀 Version ​

🔍 Implementation ​