Skip to main content

no-set-html-unsafe

Disallow setHTMLUnsafe() calls that bypass the safer HTML Sanitizer API path.

Targeted pattern scopeโ€‹

This rule targets direct .setHTMLUnsafe(...) calls.

What this rule reportsโ€‹

This rule reports calls to setHTMLUnsafe() because that API is the explicit unsafe escape hatch for injecting HTML content.

Why this rule existsโ€‹

setHTMLUnsafe() makes dangerous HTML parsing look deceptively close to the safer setHTML() API. Standardizing on the safe API path reduces accidental use of the unsafe variant and keeps security review focused on fewer HTML sink surfaces.

โŒ Incorrectโ€‹

element.setHTMLUnsafe(userHtml);

โœ… Correctโ€‹

element.setHTML(userHtml);

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-set-html-unsafe": "error",
},
},
];

When not to use itโ€‹

Disable only if you have an explicit requirement to use the unsafe HTML setter, its inputs are tightly controlled, and the surrounding review process documents why the safe setHTML() path is not sufficient.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R055