From f80dda74f0c570dd828abc6c65b6807958647ce0 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Thu, 28 May 2026 10:45:10 +0200
Subject: [PATCH] chore(lint): enable svelte/no-at-html-tags as primary XSS
 guard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Promote svelte/no-at-html-tags to project-wide error so any new
{@html} block fails lint locally and in CI — the primary XSS defense.
The existing .gitea/workflows/ci.yml raw-date regex guard stays in
place as layered defense (it covers the specific raw-date variable
names that must NEVER be rendered via {@html}).

Existing legitimate {@html} usages (renderBody mentions in
CommentMessage.svelte, sanitized Markdown in geschichten/[id]) already
carry justified inline `eslint-disable-next-line` comments. Lint stays
green; verified by running npm run lint.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 frontend/eslint.config.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js
index 037353b8..79384407 100644
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -71,7 +71,13 @@ export default defineConfig(
 					message:
 						'text-accent is decorative-only (#a1dcd8 in light mode = 1.52:1 contrast — WCAG fail). Use text-primary or text-ink-2 for text labels.'
 				}
-			]
+			],
+			// Primary XSS guard: any {@html ...} block in a Svelte template is a potential
+			// injection sink. This rule replaces the regex CI guard's role as the primary
+			// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
+			// trusted server-rendered Markdown), suppress with an inline
+			// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
+			'svelte/no-at-html-tags': 'error'
 		}
 	},
 	{