Rule proposal: `require-css-escape` #2318

silverwind · 2024-04-10T22:43:56Z

CSS.escape should always be used when interpolating arbritrary variables into a CSS selector to ensure correct escaping.

document.querySelector(`#${id}`);

el.querySelectorAll(`a[href^="#${hash}"]`);

document.querySelector(`#${CSS.escape(id)}`);

el.querySelectorAll(`a[href^="#${CSS.escape(hash)}"]`);

Any tagged template should not trigger the rule:

document.querySelector(cssEscape`#${id}`);

sindresorhus · 2024-05-07T11:19:50Z

Accepted

silverwind added evaluating new rule labels Apr 10, 2024

sindresorhus added help wanted and removed evaluating labels May 7, 2024

Provide feedback