innerHTML prop for a React DOM element should not be used
- REACT_MISUSED_INNER_HTML
- Error
- High
- react
This rule applies when innerHTML prop for a React DOM element is used.
innerHTML prop is risky because it is easy to expose your users to a cross-site scripting (XSS) attack. React provides dangerouslySetInnerHTML as a replacement for innerHTML prop to remind yourself that it is dangerous.
Therefore, you should use dangerouslySetInnerHTML prop instead of innerHTML prop. Otherwise, React outputs a warning message.
Noncompliant Code Example
View with compliant examples side by sideimport React from 'react';
import ReactDOM from 'react-dom';
ReactDOM.render(
<div innerHTML="Hello" />, // REACT_MISUSED_INNER_HTML alarm because 'innerHTML' is used.
document.getElementById("root")
);Compliant Code Example
View with noncompliant examples side by sideimport React from 'react';
import ReactDOM from 'react-dom';
ReactDOM.render(
<div dangerouslySetInnerHTML={{ __html: "Hello" }} />,
document.getElementById("root")
);Version
This rule was introduced in DeepScan 1.6.0-beta.
See
React Warning: Directly setting property
innerHTMLis not permitted. For more information, lookup documentation ondangerouslySetInnerHTML.