---
source: crates/biome_js_analyze/tests/spec_tests.rs
expression: createElementBindingInvalid.js
---
# Input
```jsx
import React, { createElement } from "react";

React.createElement('div', {
    dangerouslySetInnerHTML: { __html: 'child' }
});

createElement('div', {
    dangerouslySetInnerHTML: { __html: 'child' }
});
```

# Diagnostics
```
createElementBindingInvalid.js:4:5 lint/security/noDangerouslySetInnerHtml ━━━━━━━━━━━━━━━━━━━━━━━━━

  ! Avoid passing content using the dangerouslySetInnerHTML prop.
  
    3 │ React.createElement('div', {
  > 4 │     dangerouslySetInnerHTML: { __html: 'child' }
      │     ^^^^^^^^^^^^^^^^^^^^^^^
    5 │ });
    6 │ 
  
  ! Setting content using code can expose users to cross-site scripting (XSS) attacks
  

```

```
createElementBindingInvalid.js:8:5 lint/security/noDangerouslySetInnerHtml ━━━━━━━━━━━━━━━━━━━━━━━━━

  ! Avoid passing content using the dangerouslySetInnerHTML prop.
  
    7 │ createElement('div', {
  > 8 │     dangerouslySetInnerHTML: { __html: 'child' }
      │     ^^^^^^^^^^^^^^^^^^^^^^^
    9 │ });
  
  ! Setting content using code can expose users to cross-site scripting (XSS) attacks
  

```