Frontend safety

no-dangerous-html

Flag `dangerouslySetInnerHTML` — the canonical XSS path on user-supplied input.

AI coding tools reach for `dangerouslySetInnerHTML` whenever they need to render any HTML-shaped string, including ones that originated as user input. The rule excludes the canonical safe uses (`<script type="application/ld+json">` for Schema.org, `<style>` for inline CSS, Next.js `<Script>`).

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

<div dangerouslySetInnerHTML={{ __html: comment }} />

Good:

<div>{comment}</div>

Related rules

• safe-external-linksRequire `rel="noopener noreferrer"` on `<a target="_blank">`.
• iframe-sandboxRequire a `sandbox` attribute on `<iframe>` to constrain embedded content.
• aria-validationForbid invalid ARIA roles and unknown aria-* attributes.

Use it

Enable no-dangerous-html in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-dangerous-html': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules