Extract rule: template-no-triple-curlies

NullVoxPopuli · NullVoxPopuli · commit d87635610231 · 2026-03-21T08:36:44.000-04:00
diff --git a/README.md b/README.md
@@ -427,6 +427,7 @@ rules in templates can be disabled with eslint directives with mustache or html
 | Name                                                                   | Description                                                     | 💼 | 🔧 | 💡 |
 | :--------------------------------------------------------------------- | :-------------------------------------------------------------- | :- | :- | :- |
 | [template-link-rel-noopener](docs/rules/template-link-rel-noopener.md) | require rel="noopener noreferrer" on links with target="_blank" |    | 🔧 |    |
+| [template-no-triple-curlies](docs/rules/template-no-triple-curlies.md) | disallow usage of triple curly brackets (unescaped variables)   |    |    |    |
 
 ### Services
 
diff --git a/docs/rules/template-no-triple-curlies.md b/docs/rules/template-no-triple-curlies.md
@@ -0,0 +1,62 @@
+# ember/template-no-triple-curlies
+
+<!-- end auto-generated rule header -->
+
+Disallows usage of triple curly brackets (unescaped output) in templates.
+
+Triple curly brackets (`{{{ }}}`) render unescaped HTML, which can lead to XSS (Cross-Site Scripting) vulnerabilities if user input is not properly sanitized.
+
+## Rule Details
+
+This rule disallows the use of triple curly brackets for unescaped output. If you need to render HTML, use the `htmlSafe` helper or `SafeString` API with proper sanitization.
+
+## Examples
+
+Examples of **incorrect** code for this rule:
+
+```gjs
+<template>
+  {{{this.content}}}
+</template>
+```
+
+```gjs
+<template>
+  <div>
+    {{{@htmlContent}}}
+  </div>
+</template>
+```
+
+Examples of **correct** code for this rule:
+
+```gjs
+<template>
+  {{this.content}}
+</template>
+```
+
+```gjs
+<template>
+  {{htmlSafe this.sanitizedContent}}
+</template>
+```
+
+```gjs
+<template>
+  <div>{{@text}}</div>
+</template>
+```
+
+## When Not To Use It
+
+If you are certain that the content being rendered is already sanitized and safe, you may disable this rule. However, this is generally discouraged for security reasons.
+
+## Related Rules
+
+- [no-html-safe](./no-html-safe.md) from eslint-plugin-ember
+
+## References
+
+- [eslint-plugin-ember template-no-triple-curlies](https://github.com/ember-cli/eslint-plugin-ember/blob/master/docs/rules/template-no-triple-curlies.md)
+- [Ember.js Security Guide](https://guides.emberjs.com/release/security/)
diff --git a/lib/rules/template-no-triple-curlies.js b/lib/rules/template-no-triple-curlies.js
@@ -0,0 +1,40 @@
+/** @type {import('eslint').Rule.RuleModule} */
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'disallow usage of triple curly brackets (unescaped variables)',
+      category: 'Security',
+      recommended: false,
+      url: 'https://github.com/ember-cli/eslint-plugin-ember/tree/master/docs/rules/template-no-triple-curlies.md',
+      templateMode: 'both',
+    },
+    fixable: null,
+    schema: [],
+    messages: {
+      unsafe:
+        'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
+    },
+    originallyFrom: {
+      name: 'ember-template-lint',
+      rule: 'lib/rules/no-triple-curlies.js',
+      docs: 'docs/rule/no-triple-curlies.md',
+      tests: 'test/unit/rules/no-triple-curlies-test.js',
+    },
+  },
+
+  create(context) {
+    return {
+      GlimmerMustacheStatement(node) {
+        // Check if the statement is unescaped (triple curlies)
+        // Use 'trusting' property (escaped is deprecated)
+        if (node.trusting === true) {
+          context.report({
+            node,
+            messageId: 'unsafe',
+          });
+        }
+      },
+    };
+  },
+};
diff --git a/tests/lib/rules/template-no-triple-curlies.js b/tests/lib/rules/template-no-triple-curlies.js
@@ -0,0 +1,99 @@
+//------------------------------------------------------------------------------
+// Requirements
+//------------------------------------------------------------------------------
+
+const rule = require('../../../lib/rules/template-no-triple-curlies');
+const RuleTester = require('eslint').RuleTester;
+
+//------------------------------------------------------------------------------
+// Tests
+//------------------------------------------------------------------------------
+
+const ruleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser'),
+  parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
+});
+
+ruleTester.run('template-no-triple-curlies', rule, {
+  valid: [
+    `<template>
+      {{this.content}}
+    </template>`,
+    `<template>
+      <div>{{@text}}</div>
+    </template>`,
+    `<template>
+      {{htmlSafe this.content}}
+    </template>`,
+
+    '<template>{{foo}}</template>',
+  ],
+
+  invalid: [
+    {
+      code: `<template>
+        {{{this.content}}}
+      </template>`,
+      output: null,
+      errors: [
+        {
+          message:
+            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
+          type: 'GlimmerMustacheStatement',
+        },
+      ],
+    },
+    {
+      code: `<template>
+        <div>
+          {{{@htmlContent}}}
+        </div>
+      </template>`,
+      output: null,
+      errors: [
+        {
+          message:
+            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
+          type: 'GlimmerMustacheStatement',
+        },
+      ],
+    },
+
+    {
+      code: `<template>
+ {{{foo}}}</template>`,
+      output: null,
+      errors: [
+        {
+          message:
+            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
+        },
+      ],
+    },
+  ],
+});
+
+const hbsRuleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser/hbs'),
+  parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
+});
+
+hbsRuleTester.run('template-no-triple-curlies (hbs)', rule, {
+  valid: [
+    '{{foo}}',
+    '{{! template-lint-disable no-bare-strings }}',
+    '{{! template-lint-disable }}',
+  ],
+  invalid: [
+    {
+      code: '\n {{{foo}}}',
+      output: null,
+      errors: [
+        {
+          message:
+            'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
+        },
+      ],
+    },
+  ],
+});
