Security News
Deno 2.6 + Socket: Supply Chain Defense In Your CLI
Deno 2.6 introduces deno audit with a new --socket flag that plugs directly into Socket to bring supply chain security checks into the Deno CLI.
By Sarah Gooding -  Dec 12, 2025
🚨 Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis →
dangerously-set-html-content
Advanced tools
⚠️⚠️⚠️ dangerously-set-html-content ⚠️⚠️⚠️
Render raw html at your own risk!
Context
Here's a blog post that explain more in detail:
TL;DR
React uses dangerouslySetInnerHtml prop to render raw html, and works pretty much well for almost all the cases, but what if your html has some scripts tags inside??
When you use dangerouslySetInnerHtml on a component, internally react is using the innerHTML property of the node to set the content, which for safety purposes doesn't execute any javascript.
This behavior seemed very odd to me (I mean the prop name contains the word dangerously, and also you need to pass an object with a __html propery, which is on purpose, so you really know what you doing), although it have totally sense now, still doesn't solve my issue
After a little bit of search I found that the document has something called Range, this API let you create a fragment of the document, so using that I created dangerously-set-html-content.
This React component renders html from a string, and executes any js code inside of it!! 🎉
🚨🚨 USE IT AT YOUR OWN RISK 🚨🚨
Install
yarn add dangerously-set-html-content
// or
// npm install --save dangerously-set-html-content
Usage
import React from 'react'
import InnerHTML from 'dangerously-set-html-content'
function Example {
const html = `
<div>This wil be rendered</div>
<script>
alert('testing')
</script>
`
return (
<InnerHTML html={html} />
)
}
This will also work for scripts with the src attribute set it
Note: By default this component only inserts the js that you pass in on the first render, after that it doesn't rerender. See https://github.com/christo-pr/dangerously-set-html-content/pull/7. You can pass
allowRerenderprop to rerender the component
Available Props
| Prop | Required | Value | Description |
|---|---|---|---|
html | Yes | String | The stringified code you want to execute |
allowRerender | No | Boolean | If set to true will allow to rerender the component |
Development
After cloning the repo and install all deps, you can do to example/ directory to install the example dependencies (the package will be a symlink to the file in src/)
Once you're on that directory you can run:
npm start
And an example all will be open.
Running unit test
Run:
npm test
License
MIT © christo-pr
FAQs
Render raw html at your own risk!
The npm package dangerously-set-html-content receives a total of 121,519 weekly downloads. As such, dangerously-set-html-content popularity was classified as popular.
We found that dangerously-set-html-content demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 14 Nov 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
New React Server Components Vulnerabilities: DoS and Source Code Exposure
New DoS and source code exposure bugs in React Server Components and Next.js: what’s affected and how to update safely.
By Sarah Gooding -  Dec 12, 2025
Security News
Software Engineering Daily Podcast: Feross on AI, Open Source, and Supply Chain Risk
Socket CEO Feross Aboukhadijeh joins Software Engineering Daily to discuss modern software supply chain attacks and rising AI-driven security risks.
By Sarah Gooding -  Dec 11, 2025