NO_DANGEROUS_HTML

Prevent the unsafe creation of DOM via HTML methods in your application.
Table of Contents

Conformance is available on Enterprise plans

Unsafe creation of DOM can be done a variety of ways:

  • element.innerHTML
  • element.outerHTML
  • DOMParser.parseFromString()
  • element.insertAdjacentHTML()
  • srcdoc on iframe elements
  • dangerouslySetInnerHTML prop in React apps

Usage of these methods is deemed an unsafe coding practice as the HTML might result in security vulnerabilities.

It is recommended to instead use alternative approaches for HTML construction - such as document.createElement() or a HTML sanitizer.

Last updated on July 23, 2024