chore(lint): enable svelte/no-at-html-tags as primary XSS guard

Promote svelte/no-at-html-tags to project-wide error so any new {@html} block fails lint locally and in CI — the primary XSS defense. The existing .gitea/workflows/ci.yml raw-date regex guard stays in place as layered defense (it covers the specific raw-date variable names that must NEVER be rendered via {@html}). Existing legitimate {@html} usages (renderBody mentions in CommentMessage.svelte, sanitized Markdown in geschichten/[id]) already carry justified inline `eslint-disable-next-line` comments. Lint stays green; verified by running npm run lint. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 10:45:10 +02:00
parent 22603a4b04
commit f80dda74f0
1 changed files with 7 additions and 1 deletions
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -71,7 +71,13 @@ export default defineConfig(
 					message:
 						'text-accent is decorative-only (#a1dcd8 in light mode = 1.52:1 contrast — WCAG fail). Use text-primary or text-ink-2 for text labels.'
 				}
-			]
+			],
+			// Primary XSS guard: any {@html ...} block in a Svelte template is a potential
+			// injection sink. This rule replaces the regex CI guard's role as the primary
+			// defense (the CI regex stays as a backstop). For any legitimate use (e.g.
+			// trusted server-rendered Markdown), suppress with an inline
+			// `<!-- eslint-disable-next-line svelte/no-at-html-tags -->` and a justification.
+			'svelte/no-at-html-tags': 'error'
 		}
 	},
 	{