no-unsanitized #9460

kpervin · 2026-03-12T14:43:34Z

kpervin
Mar 12, 2026

Having no-unsanitized would be a huge benefit. Just having noDangerouslySetInnerHtml is a bit cumbersome when the expected workflow is to justify use every single time but still ignoring it.

As a proof of concept, I mocked up a possible plugin with Claude Opus 4.6.

README.md

no-unsanitized

A Biome GritQL plugin that flags unsafe DOM manipulation patterns that can lead to Cross-Site Scripting (XSS) vulnerabilities.

Inspired by eslint-plugin-no-unsanitized (Mozilla) and no-sanitizer-with-danger (Jam3).

What it catches

Only unwrapped usages are flagged. Values wrapped in a known sanitizer function are allowed.

Property assignments

Pattern	Risk
`el.innerHTML = value`	Unsanitized HTML injection
`el.innerHTML += value`	Unsanitized HTML injection
`el.outerHTML = value`	Unsanitized HTML injection
`el.outerHTML += value`	Unsanitized HTML injection

Method calls

Pattern	Risk
`el.insertAdjacentHTML(pos, html)`	Unsanitized HTML injection
`document.write(html)`	Unsanitized HTML injection
`document.writeln(html)`	Unsanitized HTML injection
`range.createContextualFragment(html)`	Unsanitized HTML injection
`el.setHTMLUnsafe(html)`	Bypasses the Sanitizer API

React / JSX

Pattern	Risk
`dangerouslySetInnerHTML={{ __html: value }}`	Unsanitized HTML injection

Allowed sanitizers

The plugin does not flag values that are passed through one of these function calls:

DOMPurify.sanitize(...) / dompurify.sanitize(...) — DOMPurify
xss(...) / filterXSS(...) — xss
sanitizeHtml(...) — sanitize-html
sanitize(...) — generic fallback (e.g. custom project sanitizer)

Only direct use of these calls is recognized. If you assign the result to a variable and then use that variable (e.g. const clean = DOMPurify.sanitize(html); el.innerHTML = clean;), the assignment is still flagged because the plugin does not trace variables.

Enabling

Add the plugin path to the root biome.json:

{
  "plugins": ["<path_to_plugin>/no-unsanitized.grit"]
}

The plugin runs on all JavaScript, TypeScript, and JSX/TSX files.

Limitations

No variable tracing — the plugin cannot follow variable declarations. Only expressions that are directly wrapped in an allowed sanitizer call are considered safe.
Fixed allowlist — only the sanitizer names above are recognized. Custom wrapper names not in the list require a Biome disable comment.
Operator coverage — only = and += are matched for property assignments. Operators like ||=, &&=, and ??= are not covered.

To suppress a single safe usage that still gets flagged:

// biome-ignore lint/plugin: custom sanitizer / safe usage
el.innerHTML = mySanitizer(html);

PLUGIN:

language js(typescript, jsx);

or {
  `$obj.innerHTML = $val` where {
    not $val <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $val,
      message = "Unsafe assignment to innerHTML. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `$obj.innerHTML += $val` where {
    not $val <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $val,
      message = "Unsafe assignment to innerHTML. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `$obj.outerHTML = $val` where {
    not $val <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $val,
      message = "Unsafe assignment to outerHTML. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `$obj.outerHTML += $val` where {
    not $val <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $val,
      message = "Unsafe assignment to outerHTML. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `$obj.insertAdjacentHTML($pos, $html)` where {
    not $html <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $html,
      message = "Unsafe call to insertAdjacentHTML. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `document.write($html)` where {
    not $html <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $html,
      message = "Unsafe call to document.write. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `document.writeln($html)` where {
    not $html <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $html,
      message = "Unsafe call to document.writeln. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `$obj.createContextualFragment($html)` where {
    not $html <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $html,
      message = "Unsafe call to createContextualFragment. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `$obj.setHTMLUnsafe($html)` where {
    not $html <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $html,
      message = "Unsafe call to setHTMLUnsafe. Use the Sanitizer API (setHTML) or wrap in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  },
  `dangerouslySetInnerHTML={{ __html: $val }}` where {
    not $val <: or {
      `DOMPurify.sanitize($__)`,
      `dompurify.sanitize($__)`,
      `xss($__)`,
      `filterXSS($__)`,
      `sanitizeHtml($__)`,
      `sanitize($__)`
    },
    register_diagnostic(
      severity = "error",
      span = $val,
      message = "Unsafe dangerouslySetInnerHTML without sanitizer. Wrap the value in a sanitizer (e.g. DOMPurify.sanitize, sanitizeHtml, xss)."
    )
  }
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

no-unsanitized #9460

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Uh oh!

no-unsanitized #9460

Uh oh!

Uh oh!

kpervin Mar 12, 2026

README.md

no-unsanitized

What it catches

Property assignments

Method calls

React / JSX

Allowed sanitizers

Enabling

Limitations

PLUGIN:

Replies: 0 comments

kpervin
Mar 12, 2026