jsx-eslint/eslint-plugin-react

no-danger does not report dangerouslySetInnerHTML usage in React.createElement

Open

#4004 opened on May 4, 2026

View on GitHub
 (3 comments) (0 reactions) (0 assignees)JavaScript (8,630 stars) (2,797 forks)batch import
enhancementhelp wanted

Description

The no-danger rules only reports dangerouslySetInnerHTML when it's used in JSX, but not when it's used in React.createElement

To be fair, it's mentioned in the rule description, but it took me a bit to see this. Also, the similar no-danger-with-children rule does report usage in React.createElement, so it would be nice to be consistent here.

Contributor guide

Tech stack
javascriptreact
Domain
frontendtooling
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
basic understanding of ESLint plugin developmentfamiliarity with AST
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
To fix this, examine the current implementation of the `no danger` rule in `lib/rules/no danger.js`. Look at how the `no danger with children` rule handles `React.createElement` calls in its source file for a pattern to follow. Add a visitor for `CallExpression` nodes where the callee is `React.createElement` and check if any argument uses `dangerouslySetInnerHTML`. Ensure the rule also works for imported `createElement` aliases. Refer to comments in the issue for any maintainer guidance.