Contents

unsafe_html

Contents

Avoid unsafe HTML APIs.

This rule is available as of Dart 2.4.

Details

#

AVOID

  • assigning directly to the href field of an AnchorElement
  • assigning directly to the src field of an EmbedElement, IFrameElement, or ScriptElement
  • assigning directly to the srcdoc field of an IFrameElement
  • calling the createFragment method of Element
  • calling the open method of Window
  • calling the setInnerHtml method of Element
  • calling the Element.html constructor
  • calling the DocumentFragment.html constructor

BAD:

dart
var script = ScriptElement()..src = 'foo.js';

Usage

#

To enable the unsafe_html rule, add unsafe_html under linter > rules in your analysis_options.yaml file:

analysis_options.yaml
yaml
linter:
  rules:
    - unsafe_html