Critiq Docs
Get started
security.output-encoding

Avoid unsafe `dangerouslySetInnerHTML`

React `dangerouslySetInnerHTML` should only render fixed or explicitly sanitized HTML.

#Metadata

Rule ID
ts.security.dangerously-set-inner-html
Severity
high
Confidence
0.93
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
output-encoding, react, rules-catalog, security, xss

#Why it matters

React bypasses its normal escaping model when `dangerouslySetInnerHTML` is used, which makes unsanitized HTML a direct XSS sink.

#Remediation

Prefer normal React rendering, or pass only fixed or explicitly sanitized HTML to `dangerouslySetInnerHTML`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.dangerously-set-inner-html.rule.yaml.

Back to registryOpen rule in repository