react/no-danger
Flag dangerouslySetInnerHTML — raw HTML injection bypasses JSX escaping and invites cross-site scripting.
- Category: Correctness
- Severity: warn
- Source:
oxlint-builtin:react - Framework: global
- Enabled when: always (unless customRulesOnly=true)
- Documentation: https://oxc.rs/docs/guide/usage/linter/rules/react/no-danger.html
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Fires on every use of dangerouslySetInnerHTML — the only React API that bypasses JSX's automatic HTML escaping and injects a raw string into the DOM. The rule can't see whether a sanitizer (DOMPurify, sanitize-html) ran upstream, so even sanitized markdown or CMS output is flagged. False positive: HTML that is provably sanitized at the boundary — verify the value can never carry attacker-controllable input before silencing on a specific line.
Fix prompt
Use this once validation confirms the diagnostic is real.
For plain text, render as children — JSX escapes it automatically: <div>{userContent}</div>. When you genuinely need rich HTML, sanitize at the boundary with DOMPurify.sanitize(html) immediately before passing it in, and add an eslint-disable comment with a written justification on that exact line. See https://oxc.rs/docs/guide/usage/linter/rules/react/no-danger.html and https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html
Related rules
More Correctness rules from the rules reference:
react/no-direct-mutation-state: Disallow mutating this.state directly in class components — use setState so React schedules a re-render.react/no-is-mounted: Disallow the removed legacy isMounted() API — cancel async work instead of guarding setState.react/no-render-return-value: Disallow using the return value of ReactDOM.render — a legacy escape hatch removed in React 19.react/no-string-refs: Disallow legacy string refs like ref='node' — use createRef, useRef, or callback refs.react/no-unknown-property: Disallow unknown or mis-cased DOM attributes in JSX, like class instead of className.