Disallow Element.prototype.innerHTML in favor of Element.prototype.textContent (github/no-inner-html)

March 23, 2023 ยท View on GitHub

๐Ÿ’ผ This rule is enabled in the ๐Ÿ” browser config.

Rule Details

Using innerHTML poses a potential security risk. Prefer using textContent to set text to an element.

Related security notification

It may be reasonable to disable this rule in testing setups that use known, trusted input and carry little security risk.

๐Ÿ‘Ž Examples of incorrect code for this rule:

function setContent(element, content) {
  element.innerHTML = content
}

๐Ÿ‘ Examples of correct code for this rule:

function setContent(element, content) {
  element.textContent = content
}

Version

4.3.2