False positive XSS Security Hotspot using Vue?

“Make sure bypassing Vue built-in sanitization is safe here.
Disabling Vue.js built-in escaping is security-sensitive[typescript:S6299]”

That happens binding a constant to an anchor’s href attribute like:

 <a :href="appConstants.DOCS_URL" target="_blank">Docs</a>

Is not a user-controlled value, so could be considered a false positive or what am I missing here?


Hey there.

This issue is a security hotspot

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you’ll either find there is no threat, or you need to apply a fix to secure the code.

If you’ve reviewed the hotspot and determined it’s safe – you can mark it as such!