ast/react-dangerously-set-inner-html-user-input
React XSS: dangerouslySetInnerHTML fed user-controlled HTML
What it detects
A React component sets dangerouslySetInnerHTML with __html sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. React intentionally skips its escaping for this attribute, so any HTML in the input — including <script> — executes in the browser. Either render the content as text (drop dangerouslySetInnerHTML), or pass it through a HTML sanitiser (DOMPurify) before assigning.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.