logoESLint React
Rules

no-script-url

Full Name in eslint-plugin-react-dom

react-dom/no-script-url

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom/no-script-url

Features

🔍

Presets

  • dom
  • recommended
  • recommended-typescript
  • recommended-type-checked

What it does

Prevents usage of javascript: URLs as the value of attributes.

javascript: URLs are a form of XSS attack. They allow an attacker to execute arbitrary JavaScript in the context of your website, which can be used to steal user data, deface your website, or perform other malicious actions.

Examples

Failing

import React from "react";
 
function MyComponent() {
  return <a href="javascript:alert('Hello, world!')">Click me</a>;
  //        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  //        - Using a `javascript:` URL is a security risk and should be avoided.
}

Passing

import React from "react";
 
function MyComponent() {
  return <a href="/some-page">Click me</a>;
}

Implementation

Previous

no-render-return-value

Next

no-unknown-property

On this page