no-unsafe-iframe-sandbox
Full Name in eslint-plugin-react-dom
react-dom/no-unsafe-iframe-sandbox
Full Name in @eslint-react/eslint-plugin
@eslint-react/dom/no-unsafe-iframe-sandbox
Features
🔍
Presets
dom
recommended
recommended-typescript
recommended-type-checked
What it does
Enforces sandbox
attribute for iframe
elements is not set to unsafe combinations.
Why is this bad?
If sandbox
attribute is not set, the iframe content can have abilities that are not intended to be allowed.
Examples
This rule reports cases where attribute contains allow-scripts
and allow-same-origin
at the same time as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.
Failing
import React from "react";
function Example() {
return (
<iframe
src="https://example.com"
sandbox="allow-scripts allow-same-origin"
/>
);
}
Passing
import React from "react";
function Example() {
return <iframe src="https://example.com" sandbox="allow-popups" />;
}