no-domparser-html-without-sanitization

Disallow DOMParser.parseFromString(..., "text/html") on unsanitized input.

Targeted pattern scope

DOMParser.parseFromString(..., "text/html") on unsanitized input.

What this rule reports

HTML parsing calls where the source value is not sanitized by an explicit policy function.

Why this rule exists

Parsing unsanitized HTML creates unsafe document fragments and XSS surfaces.

❌ Incorrect

new DOMParser().parseFromString(userHtml, "text/html");

✅ Correct

new DOMParser().parseFromString(sanitize(userHtml), "text/html");

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },

  rules: {
   "sdl/no-domparser-html-without-sanitization": "error",
  },
 },
];

When not to use it

Disable only if the parsed HTML is produced by a reviewed sanitizer or a fully trusted template source.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​