While going trough the linter rules I found the unsafe_html rule. I see that it has been removed and it's not really explained why. Did these turn out to be safe in the end? I would like to set a src on my IFrameElement() but adding this rule will give me the warning "Avoid unsafe HTML APIs (assigning "src" attribute)." So if this is still unsafe how then can I safely set the source of my iframe that I load in my widget? Currently I do it like this
import 'package:universal_html/html.dart' as html;
...
late final html.IFrameElement _iFrameElement;
_iFrameElement = html.IFrameElement();
_iFrameElement.src = widget._source;
As explained in this GitHub issue:
The
unsafe_htmllint rule was not meant for external usage. It was implemented for internal usage, before there was a set of internal lint rules.
This rule is not maintained, and does not have any external design. It is also meant to be used withcannot-ignoreand in a VCS where specific owners have rights to specific files. None of this applies to this repo. Additionally, the rule only helps withdart:htmlelements, which is a library that is not imported anywhere in the flutter/flutter repository.
For further context, see this Dart SDK issue:
I don't think this rule has provided any value outside Google. It remains the sole subclass of
SecurityLintRule. We can move it entirely to an internal rule, reducing the maintenance burden as a public rule.
The unsafe_html lint rule was primarily designed for internal use within Google and lacked significant utility for the broader developer community. Its deprecation reflects its narrow applicability and limited value outside its original context.
Although this rule has been deprecated, the original concerns around unsafe HTML APIs still apply. Directly setting properties like src on an IFrameElement can introduce vulnerabilities, such as cross-site scripting (XSS), if the source URL is not properly sanitized.