Skip to main content

no-iframe-srcdoc

Disallow populating iframe.srcdoc with inline HTML documents.

Targeted pattern scopeโ€‹

This rule targets:

  • iframe.srcdoc = ...
  • iframe.setAttribute("srcdoc", ...)
  • <iframe srcDoc={...} /> in JSX.

What this rule reportsโ€‹

This rule reports inline iframe document creation through srcdoc writes and JSX srcDoc attributes.

Why this rule existsโ€‹

srcdoc embeds a full HTML document directly into the page. That increases the risk of shipping unsafe inline markup, weakens review boundaries compared with a separate reviewed document URL, and makes it easier to introduce script-capable content in places that look like simple attribute assignments.

โŒ Incorrectโ€‹

iframe.srcdoc = userHtml;
const frame = <iframe srcDoc={userHtml} />;

โœ… Correctโ€‹

iframe.src = "https://example.com/embed.html";
const frame = <iframe src="https://example.com/embed.html" />;

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-iframe-srcdoc": "error",
},
},
];

When not to use itโ€‹

Disable only if your application intentionally serves inline iframe documents, those documents are tightly controlled, and a reviewed sandboxing strategy exists outside this rule.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R053