# no-unsafe-string-replacement πŸ“ Disallow non-literal replacement values in `String#replace()` and `String#replaceAll()`. πŸ’ΌπŸš« This rule is enabled in the βœ… `recommended` [config](https://github.com/sindresorhus/eslint-plugin-unicorn#recommended-config). This rule is _disabled_ in the β˜‘οΈ `unopinionated` [config](https://github.com/sindresorhus/eslint-plugin-unicorn#recommended-config). The replacement argument of [`String#replace()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace) and [`String#replaceAll()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replaceAll) is not inserted literally when it is a string. Special replacement patterns like `$&`, `$1`, and `` $` `` are expanded. When the replacement value comes from an expression, this can produce unexpected output or security bugs. Use a literal string when the replacement is static. Use a replacement function when the replacement is dynamic. ## Examples ```js // ❌ template.replace('{url}', htmlEscape(url)); // βœ… template.replace('{url}', () => htmlEscape(url)); ``` ```js // ❌ template.replaceAll('{url}', htmlEscape(url)); // βœ… template.replaceAll('{url}', () => htmlEscape(url)); ``` ```js // βœ… template.replace('{url}', 'https://example.com'); ``` ```js // βœ… template.replace('{url}', `https://example.com`); ```