- Published on
Understanding dangerouslySetInnerHTML in React: Use Cases and Risks
Is it really dangerous?
- Authors
- Name
- Nico Prananta
- Follow me on Bluesky
In the world of React development, handling HTML content requires a careful approach, particularly when it comes to injecting raw HTML into the DOM. One of React's features, dangerouslySetInnerHTML
, often becomes a topic of discussion due to its potential risks and specific use cases. In this blog post, we'll explore what dangerouslySetInnerHTML
is, why it's considered dangerous, and the scenarios where its use might be acceptable.
What is dangerouslySetInnerHTML
?
React's dangerouslySetInnerHTML
is a property that allows developers to set HTML content directly into the DOM from within a React component. It's analogous to using innerHTML
in plain JavaScript but comes with an explicit warning in its name, indicating the potential risks associated with its use.
Why is dangerouslySetInnerHTML
Dangerous?
The primary risk associated with dangerouslySetInnerHTML
lies in its ability to bypass React's built-in Cross-Site Scripting (XSS) protections. React automatically escapes string values to ensure that anything rendered is treated as text rather than executable HTML or JavaScript. However, dangerouslySetInnerHTML
circumvents this security measure, potentially allowing harmful scripts to be executed in the browser.
For example, if a user inputs a string like "<script>alert('Hacked!');</script>"
, and it's passed directly via dangerouslySetInnerHTML
, the script will execute when the page loads. This vulnerability can lead to severe security issues like data theft, session hijacking, and other malicious activities.
When is Using dangerouslySetInnerHTML
Acceptable?
Despite its risks, there are scenarios where using dangerouslySetInnerHTML
is acceptable, primarily when dealing with trusted or sanitized content. Here are some use cases:
Trusted CMS Content: If the HTML is sourced from a CMS controlled by your organization,
dangerouslySetInnerHTML
can be used, ideally with additional sanitization.Third-Party Widgets: For embedding content from trusted third-party services, like social media widgets or video players.
Markdown/Rich Text Editor Output: When displaying content from markdown or rich text editors, where the output is sanitized.
Performance Optimization: In rare cases, for performance reasons, you might use
dangerouslySetInnerHTML
to update the inner HTML directly. This should be done cautiously.
While dangerouslySetInnerHTML
offers a straightforward way to inject HTML into your React application, it's crucial to use it judiciously. Always ensure that any HTML content is either from a trusted source or has been thoroughly sanitized to prevent XSS attacks. Remember, the name itself is a cautionary label, signaling developers to think twice before using it.
Update
My collegue in Hyperjump mentioned about DOMPurify library in order to sanitize the HTML and to prevent XSS attacks before assigning the HTML to dangerouslySetInnerHTML
.