# `react/no-danger`



- **Category:** Correctness
- **Severity:** warn
- **Source:** oxlint-builtin:react
- **Framework:** global
- **Enabled when:** always (unless customRulesOnly=true)
- **Documentation:** <https://oxc.rs/docs/guide/usage/linter/rules/react/no-danger.html>

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires on every use of dangerouslySetInnerHTML — the only React API that bypasses JSX's automatic HTML escaping and injects a raw string into the DOM. The rule can't see whether a sanitizer (DOMPurify, sanitize-html) ran upstream, so even sanitized markdown or CMS output is flagged. False positive: HTML that is provably sanitized at the boundary — verify the value can never carry attacker-controllable input before silencing on a specific line.

## Fix prompt

Use this once validation confirms the diagnostic is real.

For plain text, render as children — JSX escapes it automatically: <div>{userContent}</div>. When you genuinely need rich HTML, sanitize at the boundary with DOMPurify.sanitize(html) immediately before passing it in, and add an eslint-disable comment with a written justification on that exact line. See https://oxc.rs/docs/guide/usage/linter/rules/react/no-danger.html and https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html