Skip to main content

no-html-method

Disallow unsafe HTML injection through jQuery-like html() method usage.

Targeted pattern scopeโ€‹

This rule targets calls to html(...) methods on DOM wrapper libraries where arguments are interpreted as HTML.

What this rule reportsโ€‹

This rule reports html(...) invocations that write markup directly to the DOM.

Why this rule existsโ€‹

Direct HTML insertion can execute attacker-controlled markup and script payloads when inputs are not strongly sanitized.

โŒ Incorrectโ€‹

$("#content").html(userSuppliedHtml);

โœ… Correctโ€‹

$("#content").text(userSuppliedHtml);

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-html-method": "error",
},
},
];

When not to use itโ€‹

Disable only for trusted, static markup paths where inputs are guaranteed safe.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R018