# `is-unsafe`
> Zero-dependency, DOM-free, pure predicate for detecting unsafe strings across HTML, XML, SVG, SQL, SQL-STRICT, SHELL, REDOS, NOSQL, and LOG contexts.
[](https://www.npmjs.com/package/is-unsafe)
[](LICENSE)
---
## Why `is-unsafe`?
Sanitizer libraries like [DOMPurify](https://github.com/cure53/DOMPurify) require a DOM. They cannot run inside XML parsers, template engines, or server-side pipelines that process strings before they ever reach a browser.
`is-unsafe` fills that gap. It is a **pure predicate** — it answers one question:
> *Is this string value unsafe in a given context?*
It never mutates strings. It never touches the DOM. It has zero runtime dependencies.
### Motivating use case: `@nodable/entities` / `fast-xml-parser`
DOCTYPE blocks can define custom entities with arbitrary values:
```xml
alert(1)', 'HTML');
// {
// context: 'HTML',
// id: 'html-script-open',
// description: '', 'HTML');
// [
// { context: 'HTML', id: 'html-script-open', ... },
// { context: 'HTML', id: 'html-script-close', ... },
// { context: 'HTML', id: 'html-inline-event-handler', ... }
// ]
```
---
### `VALID_CONTEXTS`
Exported array of all built-in context names.
```js
import { VALID_CONTEXTS } from 'is-unsafe';
// {
// readonly HTML: "HTML";
// readonly XML: "XML";
// readonly SVG: "SVG";
// readonly SQL: "SQL";
// readonly "SQL-STRICT": "SQL-STRICT";
// readonly SHELL: "SHELL";
// readonly REDOS: "REDOS";
// readonly NOSQL: "NOSQL";
// readonly LOG: "LOG";
// }
```
---
## Contexts
### `'HTML'`
XSS vectors when a string is rendered as HTML:
| Rule ID | What it catches |
|---------|----------------|
| `html-script-open` | `