no-unescaped-entities

Keywords: React, JSX, entities, quotes, apostrophe, ESLint rule, HTML, LLM-optimized

Detect unescaped HTML entities in JSX. This rule is part of eslint-plugin-react-features.

Quick Summary

Rule Details

Characters like >, ", ', } have special meaning in JSX and must be escaped.

Why This Matters

Examples

❌ Incorrect

// Unescaped special characters
<div>5 > 3</div>
<div>It's working</div>
<div>Use "quotes"</div>
<div>Value: {value}</div>  // Unescaped } if not expression

✅ Correct

<div>Hello World</div>

Entity Reference

Configuration Examples

Basic Usage

{
  rules: {
    'react-features/no-unescaped-entities': 'error'
  }
}

Related Rules

• no-danger - HTML injection safety

Further Reading

• JSX In Depth - React docs
• HTML Entities - Reference

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Dynamic Variable References

Why: Static analysis cannot trace values stored in variables or passed through function parameters.

// ❌ NOT DETECTED - Prop from variable
const propValue = computedValue;
<Component prop={propValue} /> // Computation not analyzed

Mitigation: Implement runtime validation and review code manually. Consider using TypeScript branded types for validated inputs.

Wrapped or Aliased Functions

Why: Custom wrapper functions or aliased methods are not recognized by the rule.

// ❌ NOT DETECTED - Custom wrapper
function myWrapper(data) {
  return internalApi(data); // Wrapper not analyzed
}
myWrapper(unsafeInput);

Mitigation: Apply this rule's principles to wrapper function implementations. Avoid aliasing security-sensitive functions.

Imported Values

Why: When values come from imports, the rule cannot analyze their origin or construction.

// ❌ NOT DETECTED - Value from import
import { getValue } from './helpers';
processValue(getValue()); // Cross-file not tracked

Mitigation: Ensure imported values follow the same constraints. Use TypeScript for type safety.