Skip to main content

no-range-create-contextual-fragment

Disallow Range.createContextualFragment(...) on unsanitized HTML input.

Targeted pattern scopeโ€‹

This rule targets range.createContextualFragment(html) calls when the HTML argument is not sanitized first.

What this rule reportsโ€‹

This rule reports Range.createContextualFragment(...) calls whose first argument is raw HTML instead of the output of a reviewed sanitizer or Trusted Types-producing helper.

Why this rule existsโ€‹

Range.createContextualFragment(...) parses HTML strings into live DOM fragments. Passing unsanitized markup into that parser recreates the same XSS and DOM injection problems that appear with other HTML sink APIs.

โŒ Incorrectโ€‹

range.createContextualFragment(userHtml);

โœ… Correctโ€‹

range.createContextualFragment(sanitize(userHtml));

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-range-create-contextual-fragment": "error",
},
},
];

When not to use itโ€‹

Disable only if your HTML input has already passed through a reviewed sanitizer or Trusted Types pipeline that this rule cannot recognize.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R054