feat: Add ignorePattern to no-v-html

lucaswerkmeister · lucaswerkmeister · commit c98c01e80ab2 · 2025-07-29T17:26:17.000+02:00
This allows configuring the rule such that certain variables are allowed
in v-html=. For instance, we would like to allowlist variables named
“*Html” (as in the test), where the name already marks them as
containing safe HTML that’s expected to be used with v-html=.
diff --git a/.changeset/purple-lights-invite.md b/.changeset/purple-lights-invite.md
@@ -0,0 +1,5 @@
+---
+'eslint-plugin-vue': minor
+---
+
+Added `ignorePattern` option to [`vue/no-v-html`](https://eslint.vuejs.org/rules/no-v-html.html)
diff --git a/lib/rules/no-v-html.js b/lib/rules/no-v-html.js
@@ -4,6 +4,7 @@
  */
 'use strict'
 const utils = require('../utils')
+const { toRegExp } = require('../utils/regexp')
 
 module.exports = {
   meta: {
@@ -14,16 +15,32 @@ module.exports = {
       url: 'https://eslint.vuejs.org/rules/no-v-html.html'
     },
     fixable: null,
-    schema: [],
+    schema: [{
+      type: 'object',
+      properties: {
+        ignorePattern: {
+          type: 'string'
+        }
+      }
+    }],
     messages: {
       unexpected: "'v-html' directive can lead to XSS attack."
     }
   },
   /** @param {RuleContext} context */
   create(context) {
+    const options = context.options[0]
+    let ignoredVarMatcher = null
+    if (options?.ignorePattern) {
+      ignoredVarMatcher = toRegExp(options.ignorePattern, { remove: 'g' })
+    }
+
     return utils.defineTemplateBodyVisitor(context, {
       /** @param {VDirective} node */
       "VAttribute[directive=true][key.name.name='html']"(node) {
+        if (ignoredVarMatcher !== null && node.value.expression.type === 'Identifier' && ignoredVarMatcher.test(node.value.expression.name)) {
+          return
+        }
         context.report({
           node,
           loc: node.loc,
diff --git a/tests/lib/rules/no-v-html.js b/tests/lib/rules/no-v-html.js
@@ -28,6 +28,11 @@ ruleTester.run('no-v-html', rule, {
     {
       filename: 'test.vue',
       code: '<template><div v-if="foo" v-bind="bar"></div></template>'
+    },
+    {
+      filename: 'test.vue',
+      code: '<template><div v-html="knownHtml"></div></template>',
+      options: [{ignorePattern: '/^(?:html|.+Html)$/'}]
     }
   ],
   invalid: [
@@ -45,6 +50,12 @@ ruleTester.run('no-v-html', rule, {
       filename: 'test.vue',
       code: '<template><section v-html/></template>',
       errors: ["'v-html' directive can lead to XSS attack."]
+    },
+    {
+      filename: 'test.vue',
+      code: '<template><div v-html="unsafeString"></div></template>',
+      options: [{ignorePattern: '^(?:html|.+Html)$'}],
+      errors: ["'v-html' directive can lead to XSS attack."]
     }
   ]
 })

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'eslint-plugin-vue': minor
 +---
++
 +Added `ignorePattern` option to [`vue/no-v-html`](https://eslint.vuejs.org/rules/no-v-html.html)
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,11 @@ ruleTester.run('no-v-html', rule, {`
`28`	`28`	`{`
`29`	`29`	`filename: 'test.vue',`
`30`	`30`	`code: '<template><div v-if="foo" v-bind="bar"></div></template>'`
	`31`	`+ },`
	`32`	`+ {`
	`33`	`+ filename: 'test.vue',`
	`34`	`+ code: '<template><div v-html="knownHtml"></div></template>',`
	`35`	`+ options: [{ignorePattern: '/^(?:html\|.+Html)$/'}]`
`31`	`36`	`}`
`32`	`37`	`],`
`33`	`38`	`invalid: [`
`@@ -45,6 +50,12 @@ ruleTester.run('no-v-html', rule, {`
`45`	`50`	`filename: 'test.vue',`
`46`	`51`	`code: '<template><section v-html/></template>',`
`47`	`52`	`errors: ["'v-html' directive can lead to XSS attack."]`
	`53`	`+ },`
	`54`	`+ {`
	`55`	`+ filename: 'test.vue',`
	`56`	`+ code: '<template><div v-html="unsafeString"></div></template>',`
	`57`	`+ options: [{ignorePattern: '^(?:html\|.+Html)$'}],`
	`58`	`+ errors: ["'v-html' directive can lead to XSS attack."]`
`48`	`59`	`}`
`49`	`60`	`]`
`50`	`61`	`})`