DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Avoid using dangerous JSX properties JS-0440

Security
Major
 react a03 sans top 25 owasp top 10 cwe-937

Dangerous properties in React are those whose behavior is known to be a common source of application vulnerabilities. The properties names clearly indicate they are dangerous and should be avoided unless great care is taken.

dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. In general, setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) attack. So, you can set HTML directly from React, but you have to type out dangerouslySetInnerHTML and pass an object with a __html key, to remind yourself that it’s dangerous.

If you want to have dynamic HTML content that is not possible to achieve using regular React code, add a skipcq comment to prevent DeepSource from flagging this issue, along with an explanation.

Bad Practice

import React from 'react';

const Hello = <div dangerouslySetInnerHTML={{ __html: "Hello World" }}></div>;

Recommended

import React from 'react';

const Hello = <div>Hello World</div>;

References