SEC017warningPro

regex-html-sanitizer

Do not use regex to sanitize HTML — use DOMPurify or sanitize-html

Applies to: JavaScript, Python, TypeScript

Why this matters

Regular expressions cannot safely parse or sanitize HTML. Regex-based tag stripping like `.replace(/<script/gi, '')` is trivially bypassed with techniques like `<scr<script>ipt>`, nested tags, event handlers (`onerror`), and encoding tricks. Always use a battle-tested library like DOMPurify (browser/Node.js) or sanitize-html (Node.js) or bleach (Python).

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC017 includedstablestack explain SEC017

SEC017 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC017