SEC011warningPro

unsanitized-html

HTML stored without sanitization may enable XSS

Applies to: JavaScript, Python, TypeScript

Why this matters

Storing raw HTML from users and rendering it later allows XSS attacks. Attackers can inject malicious scripts, tracking pixels, or phishing content. Use DOMPurify, sanitize-html, or similar to filter dangerous content.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC011 includedstablestack explain SEC011

SEC011 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC011