Skip to main content

no-inner-html

Disallow unsafe direct HTML writes through DOM HTML sink properties and methods.

Targeted pattern scopeโ€‹

This rule targets:

  • element.innerHTML = ...
  • element.outerHTML = ...
  • element.insertAdjacentHTML(...).

What this rule reportsโ€‹

This rule reports direct HTML sink writes that bypass safe text-based DOM APIs.

Why this rule existsโ€‹

HTML sink APIs are common XSS entry points when they receive unsanitized or partially sanitized input.

โŒ Incorrectโ€‹

container.innerHTML = userSuppliedHtml;
container.insertAdjacentHTML("beforeend", userSuppliedHtml);

โœ… Correctโ€‹

const node = document.createElement("p");
node.textContent = userSuppliedHtml;
container.append(node);

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-inner-html": "error",
},
},
];

When not to use itโ€‹

Disable only when a dedicated, reviewed sanitizer guarantees safe markup.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R019