diff --git a/README.md b/README.md
index 5b72613c..fc4f3426 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@ Details changes for each release are documented in the [CHANGELOG.md](https://gi
 - [x] no-dynamic-keys
 - [x] no-unused-keys
 - [x] no-v-html
+- [ ] no-html-message
 - [ ] no-raw-text
 - [ ] valid-message-syntax
 - [ ] keys-order
diff --git a/docs/rules/README.md b/docs/rules/README.md
index 0b5d0947..721911f8 100644
--- a/docs/rules/README.md
+++ b/docs/rules/README.md
@@ -7,6 +7,7 @@
 
 | Rule ID | Description |    |
 |:--------|:------------|:---|
+| [vue-i18n/<wbr>no-html-messages](./no-html-messages.html) | disallow use HTML localization messages | :star: |
 | [vue-i18n/<wbr>no-missing-keys](./no-missing-keys.html) | disallow missing locale message key at localization methods | :star: |
 | [vue-i18n/<wbr>no-v-html](./no-v-html.html) | disallow use of localization methods on v-html to prevent XSS attack | :star: |
 
diff --git a/docs/rules/no-html-messages.md b/docs/rules/no-html-messages.md
new file mode 100644
index 00000000..d6d37ab6
--- /dev/null
+++ b/docs/rules/no-html-messages.md
@@ -0,0 +1,113 @@
+# vue-i18n/no-html-messages
+
+> disallow use HTML localization messages
+
+- :star: The `"extends": "plugin:vue-i18n/recommended"` property in a configuration file enables this rule.
+
+This rule reports in order to reduce the risk of injecting potentially unsafe localization message into the browser leading to supply-chain attack or XSS attack.
+
+## :book: Rule Details
+
+This rule is aimed at eliminating HTML localization messages.
+
+:-1: Examples of **incorrect** code for this rule:
+
+locale messages:
+```js
+// ✗ BAD
+{
+  "hello": "Hello! DIO!",
+  "hi": "Hi! <span>DIO!</span>",
+  "contenst": {
+    "banner": "banner: <iframe src=\"https://banner.domain.com\" frameBorder=\"0\" style=\"z-index:100001;position:fixed;bottom:0;right:0\"/>",
+    "modal": "modal: <span onmouseover=\"alert(document.cookie);\">modal content</span>"
+  }
+}
+```
+
+In localization codes of application:
+
+```vue
+<template>
+  <div class="app">
+    <p>{{ $t('hello') }}</p>
+    <!-- supply-chain attack -->
+    <div v-html="$t('contents.banner')"></div>
+    <!-- XSS attack -->
+    <div v-html="$t('contents.modal')"></div>
+  </div>
+</template>
+```
+
+```js
+const i18n = new VueI18n({
+  locale: 'en',
+  messages: {
+    en: require('./locales/en.json')
+  }
+})
+
+new Vue({
+  i18n,
+  // ...
+}).$mount('#app')
+```
+
+:+1: Examples of **correct** code for this rule:
+
+locale messages:
+// ✓ GOOD
+```js
+{
+  "hello": "Hello! DIO!",
+  "hi": "Hi! DIO!",
+  "contents": {
+    "banner": "banner: {0}",
+    "modal": "modal: {0}"
+  }
+}
+```
+
+In localization codes of application:
+
+```vue
+<template>
+  <div class="app">
+    <p>{{ $t('hello') }}</p>
+    <i18n path="contents.banner">
+      <Banner :url="bannerURL"/>
+    </i18n>
+    <i18n path="contents.modal">
+      <Modal :url="modalDataURL"/>
+    </i18n>
+  </div>
+</template>
+```
+
+```js
+// import some components used in i18n component
+import Banner from './path/to/components/Banner.vue'
+import Modal from './path/to/components/Modal.vue'
+
+// register imprted components (in this example case, Vue.component)
+Vue.component('Banner', Banner)
+Vue.component('Modal', Modal)
+
+const i18n = new VueI18n({
+  locale: 'en',
+  messages: {
+    en: require('./locales/en.json')
+  }
+})
+
+new Vue({
+  i18n,
+  data () {
+    return {
+      bannerURL: 'https://banner.domain.com',
+      modalDataURL: 'https://fetch.domain.com'
+    }
+  }
+  // ...
+}).$mount('#app')
+```
diff --git a/lib/configs/recommended.js b/lib/configs/recommended.js
index d5f02cb3..36f9fd4c 100644
--- a/lib/configs/recommended.js
+++ b/lib/configs/recommended.js
@@ -16,6 +16,7 @@ module.exports = {
   },
   plugins: ['vue-i18n'],
   rules: {
+    'vue-i18n/no-html-messages': 'error',
     'vue-i18n/no-missing-keys': 'error',
     'vue-i18n/no-v-html': 'error'
   }
diff --git a/lib/processors/json.js b/lib/processors/json.js
index 84fadd27..e509264e 100644
--- a/lib/processors/json.js
+++ b/lib/processors/json.js
@@ -18,7 +18,8 @@ module.exports = {
   postprocess ([errors], filename) {
     delete localeMessageFiles[filename]
     return [...errors.filter(
-      error => !error.ruleId || error.ruleId === 'vue-i18n/no-unused-keys'
+      error => !error.ruleId ||
+        (error.ruleId === 'vue-i18n/no-unused-keys' || error.ruleId === 'vue-i18n/no-html-messages')
     )]
   },
 
diff --git a/lib/rules.js b/lib/rules.js
index fdd84eb8..53ef6763 100644
--- a/lib/rules.js
+++ b/lib/rules.js
@@ -3,6 +3,7 @@
 
 module.exports = {
   'no-dynamic-keys': require('./rules/no-dynamic-keys'),
+  'no-html-messages': require('./rules/no-html-messages'),
   'no-missing-keys': require('./rules/no-missing-keys'),
   'no-unused-keys': require('./rules/no-unused-keys'),
   'no-v-html': require('./rules/no-v-html')
diff --git a/lib/rules/no-html-messages.js b/lib/rules/no-html-messages.js
new file mode 100644
index 00000000..1dad8eb4
--- /dev/null
+++ b/lib/rules/no-html-messages.js
@@ -0,0 +1,141 @@
+/**
+ * @author kazuya kawaguchi (a.k.a. kazupon)
+ */
+'use strict'
+
+const { extname } = require('path')
+const jsonAstParse = require('json-to-ast')
+const parse5 = require('parse5')
+const { UNEXPETECD_ERROR_LOCATION, loadLocaleMessages } = require('../utils/index')
+const debug = require('debug')('eslint-plugin-vue-i18n:no-html-messages')
+
+let localeMessages = null // used locale messages
+let localeDir = null
+
+function findExistLocaleMessage (fullpath, localeMessages) {
+  return localeMessages.find(message => message.fullpath === fullpath)
+}
+
+function extractJsonInfo (context, node) {
+  try {
+    const [str, filename] = node.comments
+    return [
+      Buffer.from(str.value, 'base64').toString(),
+      Buffer.from(filename.value, 'base64').toString()
+    ]
+  } catch (e) {
+    context.report({
+      loc: UNEXPETECD_ERROR_LOCATION,
+      message: e.message
+    })
+    return []
+  }
+}
+
+function generateJsonAst (context, json, filename) {
+  let ast = null
+
+  try {
+    ast = jsonAstParse(json, { loc: true, source: filename })
+  } catch (e) {
+    const { message, line, column } = e
+    context.report({
+      message,
+      loc: { line, column }
+    })
+  }
+
+  return ast
+}
+
+function traverseNode (node, fn) {
+  if (node.type === 'Object' && node.children.length > 0) {
+    node.children.forEach(child => {
+      if (child.type === 'Property') {
+        const keyNode = child.key
+        const valueNode = child.value
+        if (keyNode.type === 'Identifier' && valueNode.type === 'Object') {
+          return traverseNode(valueNode, fn)
+        } else {
+          return fn(valueNode)
+        }
+      }
+    })
+  }
+}
+
+function findHTMLNode (node) {
+  return node.childNodes.find(child => {
+    if (child.nodeName !== '#text' && child.tagName) {
+      return true
+    }
+  })
+}
+
+function create (context) {
+  const filename = context.getFilename()
+  if (extname(filename) !== '.json') {
+    debug(`ignore ${filename} in no-html-messages`)
+    return {}
+  }
+
+  const { settings } = context
+  if (!settings['vue-i18n'] || !settings['vue-i18n'].localeDir) {
+    context.report({
+      loc: UNEXPETECD_ERROR_LOCATION,
+      message: `You need to 'localeDir' at 'settings. See the 'eslint-plugin-vue-i18n documentation`
+    })
+    return {}
+  }
+
+  if (localeDir !== settings['vue-i18n'].localeDir) {
+    debug(`change localeDir: ${localeDir} -> ${settings['vue-i18n'].localeDir}`)
+    localeDir = settings['vue-i18n'].localeDir
+    localeMessages = loadLocaleMessages(localeDir)
+  } else {
+    localeMessages = localeMessages || loadLocaleMessages(settings['vue-i18n'].localeDir)
+  }
+
+  const targetLocaleMessage = findExistLocaleMessage(filename, localeMessages)
+  if (!targetLocaleMessage) {
+    debug(`ignore ${filename} in no-html-messages`)
+    return {}
+  }
+
+  return {
+    Program (node) {
+      const [jsonString, jsonFilename] = extractJsonInfo(context, node)
+      if (!jsonString || !jsonFilename) { return }
+
+      const ast = generateJsonAst(context, jsonString, jsonFilename)
+      if (!ast) { return }
+
+      traverseNode(ast, messageNode => {
+        const htmlNode = parse5.parseFragment(messageNode.value, { sourceCodeLocationInfo: true })
+        const foundNode = findHTMLNode(htmlNode)
+        if (!foundNode) { return }
+        context.report({
+          message: `used HTML localization message in '${targetLocaleMessage.path}'`,
+          loc: {
+            line: messageNode.loc.start.line,
+            column: messageNode.loc.start.column + foundNode.sourceCodeLocation.startOffset
+          }
+        })
+      })
+    }
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'disallow use HTML localization messages',
+      category: 'Recommended',
+      recommended: true
+    },
+    fixable: null,
+    schema: []
+  },
+  create
+}
diff --git a/package.json b/package.json
index d4b61112..a2e85865 100644
--- a/package.json
+++ b/package.json
@@ -16,6 +16,7 @@
     "json-to-ast": "^2.1.0",
     "jsondiffpatch": "^0.3.11",
     "lodash": "^4.17.11",
+    "parse5": "^5.1.0",
     "vue-eslint-parser": "^6.0.3"
   },
   "devDependencies": {
diff --git a/tests/fixtures/no-html-messages/invalid/en.json b/tests/fixtures/no-html-messages/invalid/en.json
new file mode 100644
index 00000000..51b80eb8
--- /dev/null
+++ b/tests/fixtures/no-html-messages/invalid/en.json
@@ -0,0 +1,8 @@
+{
+  "hello": "Hello! DIO!",
+  "hi": "Hi! <span>DIO!</span>",
+  "contents": {
+    "banner": "banner: <iframe src=\"https://banner.domain.com\" frameBorder=\"0\" style=\"z-index:100001;position:fixed;bottom:0;right:0\"/>",
+    "modal": "modal: <span onmouseover=\"alert(document.cookie);\">modal content</span>"
+  }
+}
\ No newline at end of file
diff --git a/tests/fixtures/no-html-messages/valid/en.json b/tests/fixtures/no-html-messages/valid/en.json
new file mode 100644
index 00000000..6c611e49
--- /dev/null
+++ b/tests/fixtures/no-html-messages/valid/en.json
@@ -0,0 +1,8 @@
+{
+  "hello": "Hello! DIO!",
+  "hi": "Hi! DIO!",
+  "contents": {
+    "banner": "banner: {0}",
+    "modal": "modal: {0}"
+  }
+}
\ No newline at end of file
diff --git a/tests/lib/rules/no-html-messages.js b/tests/lib/rules/no-html-messages.js
new file mode 100644
index 00000000..3ef4d1e5
--- /dev/null
+++ b/tests/lib/rules/no-html-messages.js
@@ -0,0 +1,93 @@
+/**
+ * @author kazuya kawaguchi (a.k.a. kazupon)
+ */
+'use strict'
+
+const Module = require('module')
+const { CLIEngine } = require('eslint')
+const { resolve, join } = require('path')
+const assert = require('assert')
+
+describe('no-html-messages', () => {
+  let originalCwd
+  const resolveFilename = Module._resolveFilename
+
+  before(() => {
+    Module._resolveFilename = function (id) {
+      if (id === 'eslint-plugin-vue-i18n') {
+        return resolve(__dirname, '../../../lib/index.js')
+      }
+      return resolveFilename.apply(this, arguments)
+    }
+    originalCwd = process.cwd()
+    const p = join(__dirname, '../../fixtures/no-html-messages')
+    process.chdir(p)
+  })
+
+  after(() => {
+    Module._resolveFilename = resolveFilename
+    process.chdir(originalCwd)
+  })
+
+  describe('valid', () => {
+    it('should be not detected html messages', () => {
+      const linter = new CLIEngine({
+        baseConfig: {
+          settings: {
+            'vue-i18n': {
+              localeDir: `./valid/*.json`
+            }
+          }
+        },
+        parser: 'vue-eslint-parser',
+        parserOptions: {
+          ecmaVersion: 2015
+        },
+        plugins: ['vue-i18n'],
+        rules: {
+          'vue-i18n/no-html-messages': 'error'
+        },
+        extensions: ['.js', '.vue', '.json']
+      })
+
+      const messages = linter.executeOnFiles(['.'])
+      assert.equal(messages.errorCount, 0)
+    })
+  })
+
+  describe('invalid', () => {
+    it('should be detected html messages', () => {
+      const linter = new CLIEngine({
+        baseConfig: {
+          settings: {
+            'vue-i18n': {
+              localeDir: `./invalid/*.json`
+            }
+          }
+        },
+        parser: 'vue-eslint-parser',
+        parserOptions: {
+          ecmaVersion: 2015
+        },
+        plugins: ['vue-i18n'],
+        rules: {
+          'vue-i18n/no-html-messages': 'error'
+        },
+        extensions: ['.js', '.vue', '.json']
+      })
+
+      const messages = linter.executeOnFiles(['.'])
+      assert.equal(messages.errorCount, 3)
+
+      function checkRuleId (path) {
+        const fullPath = resolve(__dirname, path)
+        const [result] = messages.results
+          .filter(result => result.filePath === fullPath)
+        result.messages.forEach(message => {
+          assert.equal(message.ruleId, 'vue-i18n/no-html-messages')
+        })
+      }
+      checkRuleId('../../fixtures/no-html-messages/invalid/en.json')
+    })
+  })
+})
diff --git a/yarn.lock b/yarn.lock
index d8afc90b..b8e18120 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6431,6 +6431,11 @@ parse-passwd@^1.0.0:
   resolved "https://registry.yarnpkg.com/parse-passwd/-/parse-passwd-1.0.0.tgz#6d5b934a456993b23d37f40a382d6f1666a8e5c6"
   integrity sha1-bVuTSkVpk7I9N/QKOC1vFmao5cY=
 
+parse5@^5.1.0:
+  version "5.1.0"
+  resolved "https://registry.yarnpkg.com/parse5/-/parse5-5.1.0.tgz#c59341c9723f414c452975564c7c00a68d58acd2"
+  integrity sha512-fxNG2sQjHvlVAYmzBZS9YlDp6PTSSDwa98vkD4QgVDDCAo84z5X1t5XyJQ62ImdLXx5NdIIfihey6xpum9/gRQ==
+
 parseurl@~1.3.2:
   version "1.3.2"
   resolved "https://registry.yarnpkg.com/parseurl/-/parseurl-1.3.2.tgz#fc289d4ed8993119460c156253262cdc8de65bf3"