{"id":19922,"library":"eslint-plugin-risxss","title":"eslint-plugin-risxss","description":"An ESLint plugin that detects potential XSS vulnerabilities in React (dangerouslySetInnerHTML) and Vue (v-html) applications. Current stable version is 2.1.0, with irregular releases. It enforces the use of a sanitization function (like DOMPurify) on all dynamic HTML content. Compared to generic XSS scanners, RisXSS integrates directly into the linting pipeline, providing instant feedback during development. It supports both React and Vue, and allows configuration of trusted sanitization libraries.","status":"active","version":"2.1.0","language":"javascript","source_language":"en","source_url":"https://github.com/theodo/RisXSS","tags":["javascript"],"install":[{"cmd":"npm install eslint-plugin-risxss","lang":"bash","label":"npm"},{"cmd":"yarn add eslint-plugin-risxss","lang":"bash","label":"yarn"},{"cmd":"pnpm add eslint-plugin-risxss","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"peer dependency required for plugin consumption","package":"eslint","optional":false}],"imports":[{"note":"Rule is configured via ESLint rules object; severity can be 'error', 'warn', or 2.","wrong":"rules: { 'risxss/catch-potential-xss-react': 2 }","symbol":"catch-potential-xss-react","correct":"rules: { 'risxss/catch-potential-xss-react': 'error' }"},{"note":"Options object with trustedLibraries array is optional.","wrong":"rules: { 'risxss/catch-potential-xss-vue': 'error' } without options when needed","symbol":"catch-potential-xss-vue","correct":"rules: { 'risxss/catch-potential-xss-vue': ['error', { trustedLibraries: ['xss'] }] }"}],"quickstart":{"code":"// Install plugin\nyarn add eslint-plugin-risxss --dev\n\n// .eslintrc.js\nmodule.exports = {\n  env: { browser: true, es6: true },\n  extends: 'eslint:recommended',\n  parserOptions: { ecmaFeatures: { jsx: true }, ecmaVersion: 2018, sourceType: 'module' },\n  plugins: ['react', 'risxss'],\n  rules: { 'risxss/catch-potential-xss-react': 'error' }\n};\n\n// Component with potential XSS\nimport React from 'react';\nimport DOMPurify from 'dompurify';\n\nconst MyComponent = ({ html }) => {\n  // This will trigger the rule because DOMPurify is not used\n  return <div dangerouslySetInnerHTML={{ __html: html }} />;\n};\n\n// To fix, sanitize the input:\nconst SafeComponent = ({ html }) => {\n  return <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />;\n};","lang":"javascript","description":"Demonstrates installing the plugin, configuring the React XSS rule, and a component that triggers the lint error with the fix using DOMPurify.sanitize."},"warnings":[{"fix":"Replace any usage of `trustedCalls` option with `trustedLibraries` array of function names.","message":"v2.0.0 removed the old `trustedCalls` option; use `trustedLibraries` instead.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Add `trustedLibraries: ['yourSanitizer']` to the rule options.","message":"Default trusted library is assumed to be `DOMPurify.sanitize`. If you do not use DOMPurify, you must specify your own trusted library via the `trustedLibraries` option.","severity":"deprecated","affected_versions":"all"},{"fix":"Define any dynamic HTML generation in a function that uses a trusted sanitizer and is called with known arguments.","message":"The plugin only lints static code; dynamic or indirect calls to `dangerouslySetInnerHTML` may not be caught.","severity":"gotcha","affected_versions":"all"},{"fix":"Always wrap the HTML in a call to a trusted sanitizer like `DOMPurify.sanitize`.","message":"The plugin does not check the content of the HTML passed to `dangerouslySetInnerHTML`; it only ensures a sanitization function is used in the same expression.","severity":"gotcha","affected_versions":"all"},{"fix":"Consider using additional linting rules or manual reviews for other XSS vectors.","message":"For Vue projects, the rule only applies to `v-html`; it does not cover other potential XSS vectors like `:innerHTML` or dynamic component rendering.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Run `yarn add eslint-plugin-risxss --dev` and add `'risxss'` to the `plugins` array in your ESLint config.","cause":"The plugin is not installed or not added to the plugins array in ESLint configuration.","error":"Definition for rule 'risxss/catch-potential-xss-react' was not found."},{"fix":"Install the plugin: `npm install eslint-plugin-risxss --save-dev` or `yarn add eslint-plugin-risxss --dev`.","cause":"The plugin is not installed in the project's node_modules.","error":"ESLint couldn't find the plugin \"eslint-plugin-risxss\"."},{"fix":"Wrap the value in `DOMPurify.sanitize()` or a custom function listed in `trustedLibraries`.","cause":"Detected use of `dangerouslySetInnerHTML` or `v-html` without a call to a trusted sanitization function.","error":"Argument to HTML string interpolation must be sanitized."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}