no-document-write
Disallow direct DOM writes through document.write and document.writeln.
Targeted pattern scopeโ
This rule targets:
document.write(...)document.writeln(...).
What this rule reportsโ
This rule reports direct document stream writes that inject HTML into the page.
Why this rule existsโ
document.write APIs are prone to injection and can overwrite document state in
unpredictable ways.
โ Incorrectโ
document.write(`<div>${userInput}</div>`);
โ Correctโ
const node = document.createElement("div");
node.textContent = userInput;
document.body.append(node);
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-document-write": "error",
},
},
];
When not to use itโ
Disable only in controlled legacy rendering flows that cannot migrate from document stream writes.
Package documentationโ
Further readingโ
Rule catalog ID: R008