# no-unsafe-dom-html
📝 Disallow unsafe DOM HTML APIs.
🚫 This rule is _disabled_ in the following [configs](https://github.com/sindresorhus/eslint-plugin-unicorn#recommended-config): ✅ `recommended`, ☑️ `unopinionated`.
Disallows DOM APIs that parse, insert, or replace DOM content from HTML.
These APIs are common XSS injection sinks. Prefer `Element#setHTML()` when replacing an element's child HTML, and prefer text APIs like `.textContent` or `.insertAdjacentText()` when the value should be treated as plain text.
This rule intentionally does not try to detect whether a value is a `TrustedHTML` object. Trusted Types safety depends on project-wide CSP enforcement and policy quality, which a local ESLint rule cannot reliably prove. If a project intentionally uses Trusted Types, disable this rule at the specific sink with a short comment.
This rule does not try to follow every indirect invocation. Calls through `.call()`, `.apply()`, `.bind()`, or non-static dynamic property names are out of scope.
## Examples
```js
// ❌
element.innerHTML = html;
element.outerHTML = html;
iframe.srcdoc = html;
element.insertAdjacentHTML('beforeend', html);
element.setHTMLUnsafe(html);
Document.parseHTMLUnsafe(html);
range.createContextualFragment(html);
iframe.setAttribute('srcdoc', html);
document.write(html);
document.writeln(html);
// ✅
element.setHTML(html);
Document.parseHTML(html);
element.textContent = text;
element.insertAdjacentText('beforeend', text);
```