# prefer-dom-node-html-methods
📝 Prefer `.getHTML()` and `.setHTML()` over `.innerHTML`.
🚫 This rule is _disabled_ in the following [configs](https://github.com/sindresorhus/eslint-plugin-unicorn#recommended-config): ✅ `recommended`, ☑️ `unopinionated`.
🔧💡 This rule is automatically fixable by the [`--fix` CLI option](https://eslint.org/docs/latest/user-guide/command-line-interface#--fix) and manually fixable by [editor suggestions](https://eslint.org/docs/latest/use/core-concepts#rule-suggestions).
[`Element#getHTML()`](https://developer.mozilla.org/en-US/docs/Web/API/Element/getHTML) and [`Element#setHTML()`](https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML) are safer and more modern alternatives to `.innerHTML`. Crucially, `setHTML()` automatically sanitizes the HTML to remove dangerous scripts before inserting it, while `.innerHTML` does not.
This rule is opt-in until Safari supports `setHTML()`, at which point it can become recommended.
## Examples
```js
// ❌ - No sanitization, vulnerable to XSS
const html = element.innerHTML;
// ✅ - No sanitization needed on read, but clearer API
const html = element.getHTML();
```
```js
// ❌ - Dangerous! XSS vulnerability if html contains untrusted content
element.innerHTML = userProvidedHTML;
// ✅ - Automatically sanitizes malicious scripts
element.setHTML(userProvidedHTML);
```
```js
// ✅ - Before setHTML(), you had to manually sanitize
// This was error-prone:
element.innerHTML = sanitizeHTML(userInput); // Easy to forget sanitization
// Now it's built in:
element.setHTML(userInput); // Automatic sanitization
```
```js
// ✅ - Use trusted HTML when you know it's safe
element.setHTML('Safe static HTML');
```