no-script-text
Disallow assigning executable code through <script> text sinks.
Targeted pattern scopeโ
This rule targets assignments to the following HTMLScriptElement properties:
script.text = ...script.textContent = ...script.innerText = ...
The rule uses type information when available and otherwise falls back to narrow
syntax heuristics such as document.createElement("script") or identifiers like
scriptElement.
What this rule reportsโ
This rule reports non-empty assignments that inject code directly into script text sinks.
Why this rule existsโ
Writing source code directly into a <script> element turns data flow into code
execution. That creates an obvious XSS/code-injection sink and bypasses safer
patterns such as loading reviewed static modules or script URLs.
โ Incorrectโ
const scriptElement = document.createElement("script");
scriptElement.textContent = userCode;
โ Correctโ
const scriptElement = document.createElement("script");
scriptElement.src = "/assets/app.js";
Behavior and migration notesโ
This rule allows empty-string resets such as script.text = "".
It intentionally does not autofix because there is no universally safe rewrite for executable inline script injection.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-script-text": "error",
},
},
];
When not to use itโ
Disable only if your application intentionally emits inline script bodies, those script bodies are tightly controlled, and the surrounding trust boundary is reviewed outside this rule.
Package documentationโ
Further readingโ
Rule catalog ID: R057