Skip to main content

no-script-text

Disallow assigning executable code through <script> text sinks.

Targeted pattern scopeโ€‹

This rule targets assignments to the following HTMLScriptElement properties:

  • script.text = ...
  • script.textContent = ...
  • script.innerText = ...

The rule uses type information when available and otherwise falls back to narrow syntax heuristics such as document.createElement("script") or identifiers like scriptElement.

What this rule reportsโ€‹

This rule reports non-empty assignments that inject code directly into script text sinks.

Why this rule existsโ€‹

Writing source code directly into a <script> element turns data flow into code execution. That creates an obvious XSS/code-injection sink and bypasses safer patterns such as loading reviewed static modules or script URLs.

โŒ Incorrectโ€‹

const scriptElement = document.createElement("script");
scriptElement.textContent = userCode;

โœ… Correctโ€‹

const scriptElement = document.createElement("script");
scriptElement.src = "/assets/app.js";

Behavior and migration notesโ€‹

This rule allows empty-string resets such as script.text = "".

It intentionally does not autofix because there is no universally safe rewrite for executable inline script injection.

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-script-text": "error",
},
},
];

When not to use itโ€‹

Disable only if your application intentionally emits inline script bodies, those script bodies are tightly controlled, and the surrounding trust boundary is reviewed outside this rule.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R057