Rules Hub
Coding Rules Library
← Back to all rules
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
backend ruleP1universalStack: node
xmlsanitizationcorrectnesscdata
Sanitize dynamic text before embedding it in an XML CDATA section
Text placed inside a CDATA block must have the terminator ]]> escaped/split, or untrusted/AI content can produce invalid XML and break the consumer.
PR: hegnar-journalist-boost · org-mining-deep-2026-06Created: Jun 17, 2026
Bad example
Old codetypescript
| 1 | const xml = `<field><![CDATA[${pushNotification}]]></field>`; |
| 2 | // if pushNotification contains ]]> the XML is broken |
Explanation (EN)
Objašnjenje (HR)
Good example
New codetypescript
| 1 | const cdata = (s: string) => `<![CDATA[${s.replaceAll(']]>', ']]]]><![CDATA[>')}]]>`; |
| 2 | const xml = `<field>${cdata(pushNotification)}</field>`; |
Explanation (EN)
Objašnjenje (HR)