Skip to main content

no-domparser-html-without-sanitization

Disallow DOMParser.parseFromString(..., "text/html") on unsanitized input.

Targeted pattern scopeโ€‹

DOMParser.parseFromString(..., "text/html") on unsanitized input.

What this rule reportsโ€‹

HTML parsing calls where the source value is not sanitized by an explicit policy function.

Why this rule existsโ€‹

Parsing unsanitized HTML creates unsafe document fragments and XSS surfaces.

โŒ Incorrectโ€‹

new DOMParser().parseFromString(userHtml, "text/html");

โœ… Correctโ€‹

new DOMParser().parseFromString(sanitize(userHtml), "text/html");

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },

rules: {
"sdl/no-domparser-html-without-sanitization": "error",
},
},
];

When not to use itโ€‹

Disable only if the parsed HTML is produced by a reviewed sanitizer or a fully trusted template source.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R033