react/no-dangerously-set-innerhtml

Rule category

Security.

What it does

Warns when using dangerouslySetInnerHTML.

Why is this bad?

This should be used with extreme caution! If the HTML inside isn’t trusted (for example, if it’s based on user data), you risk introducing an XSS (opens in a new tab) vulnerability.

Read more about using dangerouslySetInnerHTML (opens in a new tab).

Examples

❌ Incorrect

function Component() {
  return <div dangerouslySetInnerHTML={{ __html: "Hello World" }}>Hello World</div>;
}