no-unsafe-iframe-sandbox

Full Name in eslint-plugin-react-dom

react-dom/no-unsafe-iframe-sandbox

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom/no-unsafe-iframe-sandbox

Features

🔍

Presets

• dom
• recommended
• recommended-typescript
• recommended-type-checked

What it does

Enforces sandbox attribute for iframe elements is not set to unsafe combinations.

If sandbox attribute is not set, the iframe content can have abilities that are not intended to be allowed.

Examples

This rule reports cases where attribute contains allow-scripts and allow-same-origin at the same time as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.

Failing

import React from "react";
 
function MyComponent() {
  return (
    <iframe
      src="https://eslint-react.xyz"
      sandbox="allow-scripts allow-same-origin"
    />
  );
}

Passing

import React from "react";
 
function MyComponent() {
  return <iframe src="https://eslint-react.xyz" sandbox="allow-popups" />;
}

Implementation

• Rule source
• Test source

Further Reading

• MDN: iframe - sandbox

See Also

• no-missing-iframe-sandbox
  Enforces explicit sandbox attribute for iframe elements.
• no-unsafe-target-blank
  Prevents the use of target="_blank" without rel="noreferrer noopener".