Port template-no-triple-curlies rule from PR #2371

Co-authored-by: NullVoxPopuli <199018+NullVoxPopuli@users.noreply.github.com>

Author: Copilot

README.md

@@ -304,6 +304,12 @@ rules in templates can be disabled with eslint directives with mustache or html
 | [route-path-style](docs/rules/route-path-style.md)                                 | enforce usage of kebab-case (instead of snake_case or camelCase) in route paths          |    |    | 💡 |
 | [routes-segments-snake-case](docs/rules/routes-segments-snake-case.md)             | enforce usage of snake_cased dynamic segments in routes                                  | ✅  |    |    |
 
+### Security
+
+| Name                                                                   | Description                                                   | 💼 | 🔧 | 💡 |
+| :--------------------------------------------------------------------- | :------------------------------------------------------------ | :- | :- | :- |
+| [template-no-triple-curlies](docs/rules/template-no-triple-curlies.md) | disallow usage of triple curly brackets (unescaped variables) |    |    |    |
+
 ### Services
 
 | Name                                                                                                 | Description                                                       | 💼 | 🔧 | 💡 |

docs/rules/template-no-triple-curlies.md

@@ -0,0 +1,62 @@
+# ember/template-no-triple-curlies
+
+<!-- end auto-generated rule header -->
+
+Disallows usage of triple curly brackets (unescaped output) in templates.
+
+Triple curly brackets (`{{{ }}}`) render unescaped HTML, which can lead to XSS (Cross-Site Scripting) vulnerabilities if user input is not properly sanitized.
+
+## Rule Details
+
+This rule disallows the use of triple curly brackets for unescaped output. If you need to render HTML, use the `htmlSafe` helper or `SafeString` API with proper sanitization.
+
+## Examples
+
+Examples of **incorrect** code for this rule:
+
+```gjs
+<template>
+  {{{this.content}}}
+</template>
+```
+
+```gjs
+<template>
+  <div>
+    {{{@htmlContent}}}
+  </div>
+</template>
+```
+
+Examples of **correct** code for this rule:
+
+```gjs
+<template>
+  {{this.content}}
+</template>
+```
+
+```gjs
+<template>
+  {{htmlSafe this.sanitizedContent}}
+</template>
+```
+
+```gjs
+<template>
+  <div>{{@text}}</div>
+</template>
+```
+
+## When Not To Use It
+
+If you are certain that the content being rendered is already sanitized and safe, you may disable this rule. However, this is generally discouraged for security reasons.
+
+## Related Rules
+
+- [no-html-safe](./no-html-safe.md) from eslint-plugin-ember
+
+## References
+
+- [ember-template-lint no-triple-curlies](https://github.com/ember-template-lint/ember-template-lint/blob/master/docs/rule/no-triple-curlies.md)
+- [Ember.js Security Guide](https://guides.emberjs.com/release/security/)

lib/rules/template-no-triple-curlies.js

@@ -0,0 +1,33 @@
+/** @type {import('eslint').Rule.RuleModule} */
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'disallow usage of triple curly brackets (unescaped variables)',
+      category: 'Security',
+      recommended: false,
+      url: 'https://github.com/ember-cli/eslint-plugin-ember/tree/master/docs/rules/template-no-triple-curlies.md',
+    },
+    fixable: null,
+    schema: [],
+    messages: {
+      unsafe:
+        'Usage of triple curly brackets is unsafe. Use htmlSafe helper if absolutely necessary.',
+    },
+  },
+
+  create(context) {
+    return {
+      GlimmerMustacheStatement(node) {
+        // Check if the statement is unescaped (triple curlies)
+        // Use 'trusting' property (escaped is deprecated)
+        if (node.trusting === true) {
+          context.report({
+            node,
+            messageId: 'unsafe',
+          });
+        }
+      },
+    };
+  },
+};