SEC005errorFree tier

inner-html-xss

Direct innerHTML assignment can lead to XSS vulnerabilities

Applies to: JavaScript, TypeScript

Why this matters

Setting innerHTML with user-controlled content is one of the most common XSS vulnerabilities. Attackers can inject malicious scripts that steal cookies, session tokens, or perform actions on behalf of users. Use textContent for plain text, or sanitize HTML with a library like DOMPurify.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC005 includedstablestack explain SEC005

False positive in your codebase? Suppress a single line with # noqa: SEC005