Rules
no-script-url
Full Name in eslint-plugin-react-dom
react-dom/no-script-urlFull Name in @eslint-react/eslint-plugin
@eslint-react/dom/no-script-urlPresets
domrecommendedrecommended-typescriptrecommended-type-checked
Description
Disallow javascript: URLs as attribute values.
javascript: URLs are a form of XSS attack. They allow an attacker to execute arbitrary JavaScript in the context of your website, which can be used to steal user data, deface your website, or perform other malicious actions.
Examples
Failing
import React from "react";
function MyComponent() {
return <a href="javascript:alert('Hello, world!')">Click me</a>;
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
// - Using a `javascript:` URL is a security risk and should be avoided.
}Passing
import React from "react";
function MyComponent() {
return <a href="/some-page">Click me</a>;
}