Rules Hub
Coding Rules Library
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
Sanitize HTML before dangerouslySetInnerHTML
Never feed untrusted/external HTML straight into dangerouslySetInnerHTML; run it through a vetted sanitizer (e.g. DOMPurify) first to prevent XSS.
Bad example
| 1 | <div |
| 2 | // biome-ignore lint/security/noDangerouslySetInnerHtml: biography contains HTML |
| 3 | dangerouslySetInnerHTML={{ __html: data.companyInfoRt }} |
| 4 | /> |
Explanation (EN)
companyInfoRt comes from an external API and is injected verbatim, so a compromised or malicious response can execute arbitrary script in the user's session.
Objašnjenje (HR)
companyInfoRt dolazi iz vanjskog API-ja i ubacuje se doslovno, pa kompromitirani ili zlonamjerni odgovor moze izvrsiti proizvoljnu skriptu u korisnikovoj sesiji.
Good example
| 1 | import DOMPurify from 'isomorphic-dompurify'; |
| 2 |
|
| 3 | <div |
| 4 | dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(data.companyInfoRt) }} |
| 5 | /> |
Explanation (EN)
The HTML is sanitized before injection, stripping scripts and dangerous attributes while keeping the formatting markup.
Objašnjenje (HR)
HTML se sanitizira prije ubacivanja, uklanjajuci skripte i opasne atribute, a zadrzavajuci formatne oznake.
Exceptions / Tradeoffs (EN)
If the markup is fully static and authored in-repo (not from any external/user source), sanitization is unnecessary — but prefer rendering it as JSX in that case.
Iznimke / Tradeoffi (HR)
Ako je markup potpuno statican i napisan u repozitoriju (ne iz vanjskog/korisnickog izvora), sanitizacija nije potrebna — ali tada radije renderaj kao JSX.