Back to blog
ReacttechnicalXSS

React dangerouslySetInnerHTML: your components are open doors to XSS

Published on 2026-03-155 min readFlorian

The CMS content trap

When your React app displays HTML from a CMS, you probably use dangerouslySetInnerHTML. The name is a warning.

The risk

Malicious JavaScript in injected content executes in the user's browser. Cookie theft, phishing redirect, data exfiltration.

The solution: DOMPurify

dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}

What we find

40% of React apps we audit use dangerouslySetInnerHTML without sanitization.

Related articles

Three adjacent analyses to keep exploring the same attack surface.

WordPresstechnical

WordPress REST API: 7 dangerous endpoints enabled by default

Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.

2026-04-03 · 6 min read
Next.jstechnical

Next.js: common security mistakes in Server Components applications

Exposed Server Actions, insecure data fetching, API route auth gaps, middleware bypass — the Next.js App Router flaws we find in audits.

2026-04-11 · 8 min read
Laraveltechnical

Laravel: when Ziggy exposes the complete map of your application

Ziggy route exposure gives attackers a complete map of your Laravel app architecture.

2026-03-10 · 5 min read

Sources

Written by Florian
Reviewed on 2026-03-15

Editorial analysis based on official vendor, project, and regulator documentation.

Related services

If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

External Review

Get a fast, clear read on your product’s real external exposure.

Full Audit

Document all priority flaws and get a real remediation plan.

Ongoing Review

Track new exposure as your stack changes over time.

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit