Understanding `dangerouslySetInnerHTML` in TypeScript

In the world of web development, React applications often need to render HTML content dynamically. React provides a prop called dangerouslySetInnerHTML which allows you to set HTML directly from JavaScript. However, this comes with security risks, especially if the content is user - generated. When working with TypeScript, which adds static typing to JavaScript, handling dangerouslySetInnerHTML requires some additional considerations. This blog post will explore the fundamental concepts, usage methods, common practices, and best practices of using dangerouslySetInnerHTML in TypeScript.

Sunday, July 06, 2025

Fundamental Concepts
Usage Methods
Common Practices
Best Practices
Conclusion
References

Fundamental Concepts

What is `dangerouslySetInnerHTML`?

In React, the dangerouslySetInnerHTML prop is a way to inject raw HTML into a component. It is an object with a single key __html, whose value is the HTML string you want to render. The “dangerously” in the name is a warning because using this prop can expose your application to cross - site scripting (XSS) attacks if the HTML content is not sanitized properly.

TypeScript and `dangerouslySetInnerHTML`

TypeScript adds type checking to JavaScript. When using dangerouslySetInnerHTML in a TypeScript - based React application, you need to ensure that the prop is used in a type - safe way. The type of the dangerouslySetInnerHTML prop in React is { __html: string }.

Usage Methods

Basic Example

Let’s start with a simple example of using dangerouslySetInnerHTML in a TypeScript React component:

import React from 'react';

const HtmlComponent: React.FC = () => {
    const htmlContent = '<p>This is a <strong>bold</strong> text.</p>';
    return (
        <div dangerouslySetInnerHTML={{ __html: htmlContent }} />
    );
};

export default HtmlComponent;

In this example, we define a simple React functional component HtmlComponent. We create an HTML string htmlContent and pass it to the dangerouslySetInnerHTML prop as an object with the __html key.

Using with Props

You can also pass the HTML content as a prop to the component:

import React from 'react';

interface HtmlComponentProps {
    html: string;
}

const HtmlComponent: React.FC<HtmlComponentProps> = ({ html }) => {
    return (
        <div dangerouslySetInnerHTML={{ __html: html }} />
    );
};

export default HtmlComponent;

You can use this component like this:

import React from 'react';
import HtmlComponent from './HtmlComponent';

const App: React.FC = () => {
    const html = '<h1>Hello, World!</h1>';
    return (
        <div>
            <HtmlComponent html={html} />
        </div>
    );
};

export default App;

Common Practices

Sanitizing HTML Content

As mentioned earlier, using dangerouslySetInnerHTML without sanitizing the HTML content can lead to security vulnerabilities. One common practice is to use a library like dompurify to sanitize the HTML.

import React from 'react';
import DOMPurify from 'dompurify';

interface HtmlComponentProps {
    html: string;
}

const HtmlComponent: React.FC<HtmlComponentProps> = ({ html }) => {
    const cleanHtml = DOMPurify.sanitize(html);
    return (
        <div dangerouslySetInnerHTML={{ __html: cleanHtml }} />
    );
};

export default HtmlComponent;

Loading HTML from an API

You may need to load HTML content from an API. Here is an example using the fetch API:

import React, { useState, useEffect } from 'react';
import DOMPurify from 'dompurify';

const HtmlComponent: React.FC = () => {
    const [htmlContent, setHtmlContent] = useState('');

    useEffect(() => {
        const fetchHtml = async () => {
            try {
                const response = await fetch('https://example.com/api/html');
                const html = await response.text();
                const cleanHtml = DOMPurify.sanitize(html);
                setHtmlContent(cleanHtml);
            } catch (error) {
                console.error('Error fetching HTML:', error);
            }
        };
        fetchHtml();
    }, []);

    return (
        <div dangerouslySetInnerHTML={{ __html: htmlContent }} />
    );
};

export default HtmlComponent;

Best Practices

Limit the Use of `dangerouslySetInnerHTML`

Only use dangerouslySetInnerHTML when it is absolutely necessary. In most cases, you can achieve the same result using React’s built - in components and JSX.

Sanitize All User - Generated Content

Always sanitize any HTML content that comes from user input or external sources. This helps prevent XSS attacks.

Keep the HTML Content Simple

Avoid using complex HTML structures with dangerouslySetInnerHTML. Complex HTML can be difficult to manage and increase the risk of security vulnerabilities.

Conclusion

dangerouslySetInnerHTML in TypeScript React applications is a powerful but potentially dangerous tool. It allows you to render raw HTML, but it also exposes your application to security risks if not used correctly. By understanding the fundamental concepts, following the common practices, and adhering to the best practices, you can use dangerouslySetInnerHTML safely and effectively in your TypeScript projects.

References

React official documentation: https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml
DOMPurify documentation: https://github.com/cure53/DOMPurify
Mozilla Developer Network on XSS attacks: https://developer.mozilla.org/en-US/docs/Glossary/Cross - Site_Scripting