no-document-parse-html-unsafe
Disallow Document.parseHTMLUnsafe() calls that parse HTML through the unsafe document-construction path.
Targeted pattern scopeโ
This rule targets direct Document.parseHTMLUnsafe(...) calls, including
window.Document.parseHTMLUnsafe(...) and globalThis.Document.parseHTMLUnsafe(...).
What this rule reportsโ
This rule reports Document.parseHTMLUnsafe(...) because that API name is the
explicit unsafe parsing path for creating a new Document from HTML.
Why this rule existsโ
Document.parseHTMLUnsafe() does not guarantee that XSS-unsafe markup will be
removed. That makes it a poor default for application code that handles HTML
input, especially when a safer Document.parseHTML() path or a reviewed
sanitization pipeline is available.
โ Incorrectโ
const parsed = Document.parseHTMLUnsafe(userHtml);
โ Correctโ
const parsed = Document.parseHTML(userHtml);
Behavior and migration notesโ
This rule intentionally reports the unsafe API itself instead of trying to infer whether an optional sanitizer argument is strong enough. If you truly need the unsafe API for a reviewed edge case, disable the rule locally and document that trust boundary.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-document-parse-html-unsafe": "error",
},
},
];
When not to use itโ
Disable only if your codebase has a reviewed requirement to use
Document.parseHTMLUnsafe() and that call site is already protected by a
sanitization policy this rule cannot verify.
Package documentationโ
Further readingโ
Rule catalog ID: R056