Skip to main content

no-domparser-svg-without-sanitization

Disallow DOMParser.parseFromString(..., "image/svg+xml") on unsanitized input.

Targeted pattern scopeโ€‹

This rule targets DOMParser.parseFromString(...) when the MIME type is the static string "image/svg+xml" and the source value is not passed through an explicit sanitizer or trusted-policy helper.

What this rule reportsโ€‹

This rule reports SVG parsing calls where the input is not sanitized first.

Why this rule existsโ€‹

SVG content can carry active content such as event handlers, script-adjacent behavior, and external references. Parsing unsanitized SVG into a document can create risky DOM fragments that are difficult to review safely.

โŒ Incorrectโ€‹

new DOMParser().parseFromString(userSvg, "image/svg+xml");

โœ… Correctโ€‹

new DOMParser().parseFromString(sanitize(userSvg), "image/svg+xml");

Behavior and migration notesโ€‹

This rule intentionally focuses on the explicit SVG parsing sink. It does not attempt to prove whether a non-matching helper name is actually safe.

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-domparser-svg-without-sanitization": "error",
},
},
];

When not to use itโ€‹

Disable this rule only if the parsed SVG always comes from a reviewed sanitizer or a fully trusted source and that guarantee is documented.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R066