no-range-create-contextual-fragment
Disallow Range.createContextualFragment(...) on unsanitized HTML input.
Targeted pattern scopeโ
This rule targets range.createContextualFragment(html) calls when the HTML
argument is not sanitized first.
What this rule reportsโ
This rule reports Range.createContextualFragment(...) calls whose first
argument is raw HTML instead of the output of a reviewed sanitizer or Trusted
Types-producing helper.
Why this rule existsโ
Range.createContextualFragment(...) parses HTML strings into live DOM
fragments. Passing unsanitized markup into that parser recreates the same XSS
and DOM injection problems that appear with other HTML sink APIs.
โ Incorrectโ
range.createContextualFragment(userHtml);
โ Correctโ
range.createContextualFragment(sanitize(userHtml));
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-range-create-contextual-fragment": "error",
},
},
];
When not to use itโ
Disable only if your HTML input has already passed through a reviewed sanitizer or Trusted Types pipeline that this rule cannot recognize.
Package documentationโ
Further readingโ
Rule catalog ID: R054