logoESLint React
Rules

no-script-url

Disallows 'javascript:' URLs as attribute values.

Full Name in eslint-plugin-react-dom

react-dom/no-script-url

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom/no-script-url

Presets

dom recommended recommended-typescript recommended-type-checked strict strict-typescript strict-type-checked

Rule Details

javascript: URLs are a form of XSS attack. They allow an attacker to execute arbitrary JavaScript in the context of your website, which can be used to steal user data, deface your website, or perform other malicious actions.

Common Violations

Invalid

function MyComponent() {
  return <a href="javascript:alert('Hello, world!')">Click me</a>;
  //        ^^^ Using a `javascript:` URL is a security risk and should be avoided.
}

Valid

function MyComponent() {
  return <a href="/some-page">Click me</a>;
}

Resources

See Also

no-render-return-value

Disallows the return value of 'ReactDOM.render'.

no-string-style-prop

Disallows the use of string style prop in JSX. Use an object instead.

On this page

Rule DetailsCommon ViolationsInvalidValidResourcesSee Also