bug/feature_request(no-mixed-html): HTML elements inside string without concatenation

### 1. Summary

eslint-plugin-xss returns errors, if I use JavaScript like this:

```js
console.log("<div>");
console.log('<p>');

```

It seems to me that the plugin shouldn’t return errors in such cases.

### 2. MCVE

#### 2.1. Files

`.eslintrc.yml`:

```yaml
extends:
- plugin:xss/recommended

plugins:
- xss

```

`KiraHTMLElementsInsideString.js`:

```js
console.log("<div>");
console.log('<p>');

```

#### 2.2. CLI commands

```text
npm install --save-dev eslint eslint-plugin-xss

npx eslint KiraHTMLElementsInString.js
```

#### 2.3. Behavior

##### 2.3.1. Desired

No errors.

##### 2.3.2. Current

```text
D:\SashaDebugging\KiraUnicornESLintXSS\KiraHTMLElementsInString.js
  1:1  error  HTML passed in to function 'console.log'  xss/no-mixed-html
  2:1  error  HTML passed in to function 'console.log'  xss/no-mixed-html

✖ 2 problems (2 errors, 0 warnings)
```

### 3. Reason why plugin changes needed

In my example, I used solely strings, without JavaScript expressions, operators, concatenation, methods, functions, and so on. This isn’t “mixed HTML”, as the name of the plugin rule named, and strings isn’t concatenated. It seems to me that such strings safe for XSS attacks and the plugin should allow them. If the code isn’t safe to use, please explain why.

Thanks.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug/feature_request(no-mixed-html): HTML elements inside string without concatenation #14

1. Summary

2. MCVE

2.1. Files

2.2. CLI commands

2.3. Behavior

2.3.1. Desired

2.3.2. Current

3. Reason why plugin changes needed

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development