DEV Community: Prateek Lohani The latest articles on DEV Community by Prateek Lohani (@prateek_lohani). https://dev.to/prateek_lohani https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2805780%2Ffb740249-01c7-446e-9f48-b93347e5ead4.jpeg DEV Community: Prateek Lohani https://dev.to/prateek_lohani en Why You should avoid dangerouslySetInnerHTML in React? Prateek Lohani Sun, 02 Feb 2025 17:51:59 +0000 https://dev.to/prateek_lohani/why-you-should-avoid-dangerouslysetinnerhtml-in-react-4ok https://dev.to/prateek_lohani/why-you-should-avoid-dangerouslysetinnerhtml-in-react-4ok <p>The <u>dangerouslySetInnerHTML</u> in React allows developers to directly set the innerHTML property of an element without any sanitization. Passing untrusted user input into the attribute is risky and can lead to serious security vulnerabilities like Cross-Site-Scripting (XSS).<br> So, It is always the best choice to avoid passing untrusted user input to the dangerouslySetInnerHTML attribute.<br> If passing user input is absolutely necessary, ensure that the input is sanitized.</p> <p>Usage -<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import React, { useEffect, useRef } from "react"; const sanitizeHTML = (html) =&gt; { // Only run in browser environment if (typeof window === 'undefined') return html; try { const parser = new DOMParser(); const doc = parser.parseFromString(html, "text/html"); // Define all the allowed tags to use const allowedTags = ["p"]; const sanitizeNode = (node) =&gt; { if (node.nodeType === Node.ELEMENT_NODE) { const element = node; // Process children first Array.from(element.childNodes).forEach((child) =&gt; sanitizeNode(child)); if (!allowedTags.includes(element.tagName.toLowerCase())) { // Replace element with its children while (element.firstChild) { element.parentNode.insertBefore(element.firstChild, element); } element.remove(); } } }; sanitizeNode(doc.body); return doc.body.innerHTML; } catch (error) { console.error('Error sanitizing HTML:', error); return html; // Return original content if sanitization fails } }; const SanitizeContent = ({ content }) =&gt; { const ref = useRef(null); useEffect(() =&gt; { if (ref.current) { const sanitized = sanitizeHTML(content); ref.current.innerHTML = sanitized; } }, [content]); return &lt;div ref={ref} /&gt;; }; const App = () =&gt; { const item = '&lt;p&gt;This is the sample !&lt;/p&gt;' return ( &lt;&gt; &lt;SanitizeContent content={item} /&gt; &lt;/&gt; ); }; export default App; </code></pre> </div> webdev javascript react programming