code/js-xss-react-dangerously

XSS: dangerouslySetInnerHTML with non-constant value

highCode regexxssCWE-79 ↗js

What it detects

React's dangerouslySetInnerHTML renders raw HTML. Only pass pre-sanitized (e.g. DOMPurify) or statically-known HTML strings.

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.