logoESLint React
Rules

no-script-url

Full Name in eslint-plugin-react-dom

react-dom/no-script-url

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom/no-script-url

Presets

  • dom
  • recommended
  • recommended-typescript
  • recommended-type-checked

Description

Disallow javascript: URLs as attribute values.

javascript: URLs are a form of XSS attack. They allow an attacker to execute arbitrary JavaScript in the context of your website, which can be used to steal user data, deface your website, or perform other malicious actions.

Examples

Failing

import React from "react";
 
function MyComponent() {
  return <a href="javascript:alert('Hello, world!')">Click me</a>;
  //        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  //        - Using a `javascript:` URL is a security risk and should be avoided.
}

Passing

import React from "react";
 
function MyComponent() {
  return <a href="/some-page">Click me</a>;
}

Implementation

no-render-return-value

Previous Page

no-unknown-property

Next Page

On this page