Merge pull request #639 from wxiaoguang/patch-1

Stricter html string check

Author: arelia

docs/rules/unescaped-html-literal.md

@@ -8,7 +8,7 @@
 
 Constructing raw HTML with string literals is error prone and may lead to security issues.
 
-Instead use [`lit-html`](https://github.com/Polymer/lit-html)'s `html` tagged template literal to safely construct HTML literal strings. Alternatively, you can use document builder APIs like `document.createElement`.
+Instead use [`lit-html`](https://github.com/Polymer/lit-html)'s `html` tagged template literal to safely construct HTML literal strings. Alternatively, you can implement your own `html` tagged template literal function, or use document builder APIs like `document.createElement`.
 
 👎 Examples of **incorrect** code for this rule:
 

lib/rules/unescaped-html-literal.js

@@ -15,7 +15,7 @@ export default {
   },
 
   create(context) {
-    const htmlOpenTag = /^<[a-zA-Z]/
+    const htmlOpenTag = /^\s*<[a-zA-Z]/
 
     return {
       Literal(node) {

tests/unescaped-html-literal.js

@@ -57,6 +57,16 @@ ruleTester.run('unescaped-html-literal', rule, {
         },
       ],
     },
+    {
+      code: "const helloHTML = ` \n\t<div>Hello ${name}!</div>`",
+      parserOptions: {ecmaVersion: 2017},
+      errors: [
+        {
+          message: 'Unescaped HTML literal. Use html`` tag template literal for secure escaping.',
+          type: 'TemplateLiteral',
+        },
+      ],
+    },
     {
       code: 'const helloHTML = foo`<div>Hello ${name}!</div>`',
       parserOptions: {ecmaVersion: 2017},