no-script-url
Full Name in eslint-plugin-react-dom
react-dom/no-script-urlFull Name in @eslint-react/eslint-plugin
@eslint-react/dom/no-script-urlFeatures
🔍
Presets
domrecommendedrecommended-typescriptrecommended-type-checked
What it does
Prevents usage of javascript: URLs as the value of certain attributes.
javascript: URLs are a form of XSS attack. They allow an attacker to execute arbitrary JavaScript in the context of your website, which can be used to steal user data, deface your website, or perform other malicious actions.
Examples
Failing
import React from "react";
function MyComponent() {
return <a href="javascript:alert('Hello, world!')">Click me</a>;
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
// - Using a `javascript:` URL is a security risk and should be avoided.
}Passing
import React from "react";
function MyComponent() {
return <a href="/some-page">Click me</a>;
}