no-domparser-html-without-sanitization
Disallow DOMParser.parseFromString(..., "text/html") on unsanitized input.
Targeted pattern scopeโ
DOMParser.parseFromString(..., "text/html") on unsanitized input.
What this rule reportsโ
HTML parsing calls where the source value is not sanitized by an explicit policy function.
Why this rule existsโ
Parsing unsanitized HTML creates unsafe document fragments and XSS surfaces.
โ Incorrectโ
new DOMParser().parseFromString(userHtml, "text/html");
โ Correctโ
new DOMParser().parseFromString(sanitize(userHtml), "text/html");
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-domparser-html-without-sanitization": "error",
},
},
];
When not to use itโ
Disable only if the parsed HTML is produced by a reviewed sanitizer or a fully trusted template source.
Package documentationโ
Further readingโ
Rule catalog ID: R033