Merge pull request #2579 from NullVoxPopuli/nvp/template-lint-extract-rule-template-no-triple-curlies

NullVoxPopuli · web-flow · commit 8c8af7c2e323 · 2026-03-21T09:05:06.000-04:00
Extract rule: template-no-triple-curlies
diff --git a/README.md b/README.md
@@ -427,6 +427,7 @@ rules in templates can be disabled with eslint directives with mustache or html
 | Name                                                                   | Description                                                     | 💼 | 🔧 | 💡 |
 | :--------------------------------------------------------------------- | :-------------------------------------------------------------- | :- | :- | :- |
 | [template-link-rel-noopener](docs/rules/template-link-rel-noopener.md) | require rel="noopener noreferrer" on links with target="_blank" |    | 🔧 |    |
+| [template-no-triple-curlies](docs/rules/template-no-triple-curlies.md) | disallow usage of triple curly brackets (unescaped variables)   |    |    |    |
 
 ### Services
 
diff --git a/docs/rules/template-no-triple-curlies.md b/docs/rules/template-no-triple-curlies.md
@@ -0,0 +1,27 @@
+# ember/template-no-triple-curlies
+
+<!-- end auto-generated rule header -->
+
+Usage of triple curly braces to allow raw HTML to be injected into the DOM is a large vector for exploits of your application (especially when the raw HTML is user-controllable). Instead of using `{{{foo}}}`, you should use appropriate helpers or computed properties that return a `SafeString` (via `Ember.String.htmlSafe` generally) and ensure that user-supplied data is properly escaped.
+
+## Examples
+
+This rule **forbids** the following:
+
+```gjs
+<template>
+  {{{foo}}}
+</template>
+```
+
+This rule **allows** the following:
+
+```gjs
+<template>
+  {{foo}}
+</template>
+```
+
+## References
+
+- See the [documentation](https://api.emberjs.com/ember/release/functions/@ember%2Ftemplate/htmlSafe) for Ember's `htmlSafe` function
diff --git a/lib/rules/template-no-triple-curlies.js b/lib/rules/template-no-triple-curlies.js
@@ -0,0 +1,33 @@
+/** @type {import('eslint').Rule.RuleModule} */
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'disallow usage of triple curly brackets (unescaped variables)',
+      category: 'Security',
+      url: 'https://github.com/ember-cli/eslint-plugin-ember/tree/master/docs/rules/template-no-triple-curlies.md',
+      templateMode: 'both',
+    },
+    schema: [],
+    messages: { unsafe: 'Usage of triple curly brackets is unsafe' },
+    originallyFrom: {
+      name: 'ember-template-lint',
+      rule: 'lib/rules/no-triple-curlies.js',
+      docs: 'docs/rule/no-triple-curlies.md',
+      tests: 'test/unit/rules/no-triple-curlies-test.js',
+    },
+  },
+
+  create(context) {
+    return {
+      GlimmerMustacheStatement(node) {
+        if (node.trusting === true) {
+          context.report({
+            node,
+            messageId: 'unsafe',
+          });
+        }
+      },
+    };
+  },
+};
diff --git a/tests/lib/rules/template-no-triple-curlies.js b/tests/lib/rules/template-no-triple-curlies.js
@@ -0,0 +1,55 @@
+//------------------------------------------------------------------------------
+// Requirements
+//------------------------------------------------------------------------------
+
+const rule = require('../../../lib/rules/template-no-triple-curlies');
+const RuleTester = require('eslint').RuleTester;
+
+const validHbs = [
+  '{{foo}}',
+  '{{! template-lint-disable no-bare-strings }}',
+  '{{! template-lint-disable }}',
+  // Upstream also treats `{{! template-lint-disable no-triple-curlies}}{{{lol}}}` as valid,
+  // but this RuleTester does not honor template-lint disable directives.
+];
+
+const invalidHbs = [
+  {
+    code: '\n {{{foo}}}',
+    output: null,
+    errors: [{ message: 'Usage of triple curly brackets is unsafe' }],
+  },
+];
+
+function wrapTemplate(entry) {
+  if (typeof entry === 'string') {
+    return `<template>${entry}</template>`;
+  }
+
+  return {
+    ...entry,
+    code: `<template>${entry.code}</template>`,
+    output: entry.output ? `<template>${entry.output}</template>` : entry.output,
+    errors: entry.errors.map(() => ({ messageId: 'unsafe' })),
+  };
+}
+
+const gjsRuleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser'),
+  parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
+});
+
+gjsRuleTester.run('template-no-triple-curlies', rule, {
+  valid: validHbs.map(wrapTemplate),
+  invalid: invalidHbs.map(wrapTemplate),
+});
+
+const hbsRuleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser/hbs'),
+  parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
+});
+
+hbsRuleTester.run('template-no-triple-curlies', rule, {
+  valid: validHbs,
+  invalid: invalidHbs,
+});
