Skip to main content

no-document-write

Disallow direct DOM writes through document.write and document.writeln.

Targeted pattern scopeโ€‹

This rule targets:

  • document.write(...)
  • document.writeln(...).

What this rule reportsโ€‹

This rule reports direct document stream writes that inject HTML into the page.

Why this rule existsโ€‹

document.write APIs are prone to injection and can overwrite document state in unpredictable ways.

โŒ Incorrectโ€‹

document.write(`<div>${userInput}</div>`);

โœ… Correctโ€‹

const node = document.createElement("div");
node.textContent = userInput;
document.body.append(node);

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-document-write": "error",
},
},
];

When not to use itโ€‹

Disable only in controlled legacy rendering flows that cannot migrate from document stream writes.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R008