patel-vansh · patel-vansh · Nov 11, 2025 · Nov 11, 2025
diff --git a/tests/fixtures/common/ComplexExpression.expected.json b/tests/fixtures/common/ComplexExpression.expected.json
@@ -0,0 +1,43 @@
+{
+    "filename": "ComplexExpression.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "ComplexExpression.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 6,
+                "column": 11
+            },
+            "end": {
+                "line": 6,
+                "column": 22
+            }
+        },
+        {
+            "filename": "ComplexExpression.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 7,
+                "column": 11
+            },
+            "end": {
+                "line": 7,
+                "column": 29
+            }
+        },
+        {
+            "filename": "ComplexExpression.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 8,
+                "column": 11
+            },
+            "end": {
+                "line": 8,
+                "column": 36
+            }
+        }
+    ]
+}
diff --git a/tests/fixtures/common/ComplexExpression.svelte b/tests/fixtures/common/ComplexExpression.svelte
@@ -0,0 +1,9 @@
+<script>
+    let obj = { content: "<div>Test</div>" };
+</script>
+
+<div>
+    {@html obj.content}
+    {@html obj.content.trim()}
+    {@html obj.content.toUpperCase()}
+</div>
diff --git a/tests/fixtures/common/ComplexExpressionWithComment.expected.json b/tests/fixtures/common/ComplexExpressionWithComment.expected.json
@@ -0,0 +1,19 @@
+{
+    "filename": "ComplexExpressionWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "ComplexExpressionWithComment.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 10,
+                "column": 11
+            },
+            "end": {
+                "line": 10,
+                "column": 36
+            }
+        }
+    ]
+}
diff --git a/tests/fixtures/common/ComplexExpressionWithComment.svelte b/tests/fixtures/common/ComplexExpressionWithComment.svelte
@@ -0,0 +1,11 @@
+<script>
+    let obj = { content: "<div>Test</div>" };
+</script>
+
+<div>
+    <!-- svelte-ignore unsafe_html -->
+    {@html obj.content}
+    <!-- svelte-ignore unsafe_html -->
+    {@html obj.content.trim()}
+    {@html obj.content.toUpperCase()}
+</div>
diff --git a/.../OneUnsafeWithIgnoreComment.expected.json → tests/fixtures/common/Empty.expected.json b/.../OneUnsafeWithIgnoreComment.expected.json → tests/fixtures/common/Empty.expected.json
@@ -1,5 +1,5 @@
 {
-    "filename": "OneUnsafeWithIgnoreComment.svelte",
+    "filename": "Empty.svelte",
     "parsed": true,
     "error": null,
     "warnings": []

diff --git a/tests/fixtures/common/Empty.svelte b/tests/fixtures/common/Empty.svelte
diff --git a/tests/fixtures/common/EmptyWithComment.expected.json b/tests/fixtures/common/EmptyWithComment.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "EmptyWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/EmptyWithComment.svelte b/tests/fixtures/common/EmptyWithComment.svelte
@@ -0,0 +1 @@
+<!-- This is empty file with comment. -->
diff --git a/tests/fixtures/common/InComments.expected.json b/tests/fixtures/common/InComments.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "InComments.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/InComments.svelte b/tests/fixtures/common/InComments.svelte
@@ -0,0 +1,8 @@
+<script>
+    // {@html commented}
+    /* {@html blocked} */
+    let x = 1;
+</script>
+
+<!-- {@html inHTMLComment} -->
+<div>Normal content</div>
diff --git a/tests/fixtures/common/InsideEach.expected.json b/tests/fixtures/common/InsideEach.expected.json
@@ -0,0 +1,19 @@
+{
+    "filename": "InsideEach.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "InsideEach.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 10,
+                "column": 11
+            },
+            "end": {
+                "line": 10,
+                "column": 23
+            }
+        }
+    ]
+}
diff --git a/tests/fixtures/common/InsideEach.svelte b/tests/fixtures/common/InsideEach.svelte
@@ -0,0 +1,11 @@
+<script>
+    let items = [
+        { content: '<strong>Item 1</strong>' },
+        { content: '<em>Item 2</em>' },
+        { content: '<u>Item 3</u>' }
+    ];
+</script>
+
+{#each items as item}
+    {@html item.content}
+{/each}
diff --git a/tests/fixtures/common/InsideEachWithComment.expected.json b/tests/fixtures/common/InsideEachWithComment.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "InsideEachWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/InsideEachWithComment.svelte b/tests/fixtures/common/InsideEachWithComment.svelte
@@ -0,0 +1,12 @@
+<script>
+    let items = [
+        { content: '<strong>Item 1</strong>' },
+        { content: '<em>Item 2</em>' },
+        { content: '<u>Item 3</u>' }
+    ];
+</script>
+
+{#each items as item}
+    <!-- svelte-ignore unsafe_html -->
+    {@html item.content}
+{/each}
diff --git a/tests/fixtures/common/InsideIf.expected.json b/tests/fixtures/common/InsideIf.expected.json
@@ -0,0 +1,19 @@
+{
+    "filename": "InsideIf.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "InsideIf.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 7,
+                "column": 15
+            },
+            "end": {
+                "line": 7,
+                "column": 39
+            }
+        }
+    ]
+}
diff --git a/tests/fixtures/common/InsideIf.svelte b/tests/fixtures/common/InsideIf.svelte
@@ -0,0 +1,9 @@
+<script>
+    const insideIf = true;
+</script>
+
+<div>
+    {#if insideIf}
+        {@html "<span>Inside If</span>"}
+    {/if}
+</div>
diff --git a/tests/fixtures/common/InsideIfWithComment.expected.json b/tests/fixtures/common/InsideIfWithComment.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "InsideIfWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/InsideIfWithComment.svelte b/tests/fixtures/common/InsideIfWithComment.svelte
@@ -0,0 +1,10 @@
+<script>
+    const insideIf = true;
+</script>
+
+<div>
+    {#if insideIf}
+        <!-- svelte-ignore unsafe_html -->
+        {@html "<span>Inside If</span>"}
+    {/if}
+</div>
diff --git a/tests/fixtures/common/MalformedHTML.expected.json b/tests/fixtures/common/MalformedHTML.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "MalformedHTML.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/MalformedHTML.svelte b/tests/fixtures/common/MalformedHTML.svelte
@@ -0,0 +1 @@
+<div><span><b>oops</div>
diff --git a/tests/fixtures/common/Multiline.expected.json b/tests/fixtures/common/Multiline.expected.json
@@ -0,0 +1,19 @@
+{
+    "filename": "Multiline.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "Multiline.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 3,
+                "column": 8
+            },
+            "end": {
+                "line": 3,
+                "column": 34
+            }
+        }
+    ]
+}
diff --git a/tests/fixtures/common/Multiline.svelte b/tests/fixtures/common/Multiline.svelte
@@ -0,0 +1,5 @@
+<div>
+    {@html 
+        "<p>This is line one.</p>"
+    }
+</div>
diff --git a/tests/fixtures/common/MultilineWithComment.expected.json b/tests/fixtures/common/MultilineWithComment.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "MultilineWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/MultilineWithComment.svelte b/tests/fixtures/common/MultilineWithComment.svelte
@@ -0,0 +1,6 @@
+<div>
+    <!-- svelte-ignore unsafe_html -->
+    {@html 
+        "<p>This is line one.</p>"
+    }
+</div>
diff --git a/tests/fixtures/common/NoIssues.expected.json b/tests/fixtures/common/NoIssues.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "NoIssues.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/NoIssues.svelte b/tests/fixtures/common/NoIssues.svelte
@@ -0,0 +1,8 @@
+<script>
+    let text = "Safe text";
+</script>
+
+<div>
+    {text}
+    <p>No @html here</p>
+</div>
diff --git a/tests/fixtures/common/NoIssuesWithComment.expected.json b/tests/fixtures/common/NoIssuesWithComment.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "NoIssuesWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/NoIssuesWithComment.svelte b/tests/fixtures/common/NoIssuesWithComment.svelte
@@ -0,0 +1,9 @@
+<script>
+    let text = "Safe text";
+</script>
+
+<div>
+    {text}
+    <!-- svelte-ignore unsafe_html -->
+    <p>No @html here</p>
+</div>
diff --git a/tests/fixtures/common/OneUnsafeWithComment.expected.json b/tests/fixtures/common/OneUnsafeWithComment.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "OneUnsafeWithComment.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/.../common/OneUnsafeWithIgnoreComment.svelte → ...xtures/common/OneUnsafeWithComment.svelte b/.../common/OneUnsafeWithIgnoreComment.svelte → ...xtures/common/OneUnsafeWithComment.svelte
diff --git a/tests/fixtures/common/RTLInsideHTML.expected.json b/tests/fixtures/common/RTLInsideHTML.expected.json
@@ -0,0 +1,19 @@
+{
+    "filename": "RTLInsideHTML.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "RTLInsideHTML.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 1,
+                "column": 7
+            },
+            "end": {
+                "line": 1,
+                "column": 26
+            }
+        }
+    ]
+}
diff --git a/tests/fixtures/common/RTLInsideHTML.svelte b/tests/fixtures/common/RTLInsideHTML.svelte
@@ -0,0 +1 @@
+{@html "<p>שלום مرحبا</p>"}
diff --git a/tests/fixtures/common/RTLNormalText.expected.json b/tests/fixtures/common/RTLNormalText.expected.json
@@ -0,0 +1,6 @@
+{
+    "filename": "RTLNormalText.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": []
+}
diff --git a/tests/fixtures/common/RTLNormalText.svelte b/tests/fixtures/common/RTLNormalText.svelte
@@ -0,0 +1 @@
+<p>שלום مرحبا</p>
diff --git a/tests/fixtures/common/TwoUnsafeWithScript.expected.json b/tests/fixtures/common/TwoUnsafeWithScript.expected.json
@@ -0,0 +1,31 @@
+{
+    "filename": "TwoUnsafeWithScript.svelte",
+    "parsed": true,
+    "error": null,
+    "warnings": [
+        {
+            "filename": "TwoUnsafeWithScript.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 5,
+                "column": 10
+            },
+            "end": {
+                "line": 5,
+                "column": 28
+            }
+        },
+        {
+            "filename": "TwoUnsafeWithScript.svelte",
+            "message": "Unsafe raw HTML insertion without sanitizer",
+            "start": {
+                "line": 8,
+                "column": 10
+            },
+            "end": {
+                "line": 8,
+                "column": 48
+            }
+        }
+    ]
+}