no-domparser-svg-without-sanitization
Disallow DOMParser.parseFromString(..., "image/svg+xml") on unsanitized input.
Targeted pattern scopeโ
This rule targets DOMParser.parseFromString(...) when the MIME type is the
static string "image/svg+xml" and the source value is not passed through an
explicit sanitizer or trusted-policy helper.
What this rule reportsโ
This rule reports SVG parsing calls where the input is not sanitized first.
Why this rule existsโ
SVG content can carry active content such as event handlers, script-adjacent behavior, and external references. Parsing unsanitized SVG into a document can create risky DOM fragments that are difficult to review safely.
โ Incorrectโ
new DOMParser().parseFromString(userSvg, "image/svg+xml");
โ Correctโ
new DOMParser().parseFromString(sanitize(userSvg), "image/svg+xml");
Behavior and migration notesโ
This rule intentionally focuses on the explicit SVG parsing sink. It does not attempt to prove whether a non-matching helper name is actually safe.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-domparser-svg-without-sanitization": "error",
},
},
];
When not to use itโ
Disable this rule only if the parsed SVG always comes from a reviewed sanitizer or a fully trusted source and that guarantee is documented.
Package documentationโ
Further readingโ
Rule catalog ID: R066