Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

dangerously-set-html-content

Package Overview
Dependencies
Maintainers
1
Versions
15
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

dangerously-set-html-content

Render raw html at your own risk!

  • 1.1.0
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
24K
decreased by-34.57%
Maintainers
1
Weekly downloads
 
Created
Source

⚠️⚠️⚠️ dangerously-set-html-content ⚠️⚠️⚠️

Render raw html at your own risk!

NPM JavaScript Style Guide

Context

Here's a blog post that explain more in detail:

TL;DR

React uses dangerouslySetInnerHtml prop to render raw html, and works pretty much well for almost all the cases, but what if your html has some scripts tags inside??

When you use dangerouslySetInnerHtml on a component, internally react is using the innerHTML property of the node to set the content, which for safety purposes doesn't execute any javascript.

This behavior seemed very odd to me (I mean the prop name contains the word dangerously, and also you need to pass an object with a __html propery, which is on purpose, so you really know what you doing), although it have totally sense now, still doesn't solve my issue

After a little bit of search I found that the document has something called Range, this API let you create a fragment of the document, so using that I created dangerously-set-html-content.

This React component renders html from a string, and executes any js code inside of it!! 🎉

🚨🚨 USE IT AT YOUR OWN RISK 🚨🚨

Install

yarn add dangerously-set-html-content
// or
// npm install --save dangerously-set-html-content

Usage

import React from 'react'

import InnerHTML from 'dangerously-set-html-content'

function Example {

  const html = `
    <div>This wil be rendered</div>
    <script>
      alert('testing')
    </script>

  `

  return (
    <InnerHTML html={html} />
  )
}

This will also work for scripts with the src attribute set it

Note: By default this component only inserts the js that you pass in on the first render, after that it doesn't rerender. See https://github.com/christo-pr/dangerously-set-html-content/pull/7. You can pass allowRerender prop to rerender the component

Available Props

PropRequiredValueDescription
htmlYesStringThe stringified code you want to execute
allowRerenderNoBooleanIf set to true will allow to rerender the component

Development

After cloning the repo and install all deps, you can do to example/ directory to install the example dependencies (the package will be a symlink to the file in src/)

Once you're on that directory you can run:

npm start

And an example all will be open.

Running unit test

Run:

npm test

License

MIT © christo-pr

FAQs

Package last updated on 14 Nov 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc