no-unsafe-iframe-sandbox

Full Name in eslint-plugin-react-dom

react-dom/no-unsafe-iframe-sandbox

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom/no-unsafe-iframe-sandbox

Presets

• dom
• recommended
• recommended-typescript
• recommended-type-checked

Description

Enforces sandbox attribute for iframe elements is not set to unsafe combinations.

This rule reports cases where attribute contains allow-scripts and allow-same-origin at the same time as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.

Examples

Failing

import React from "react";

function MyComponent() {
  return (
    <iframe
      src="https://eslint-react.xyz"
      sandbox="allow-scripts allow-same-origin"
    />
  );
}

Passing

import React from "react";

function MyComponent() {
  return <iframe src="https://eslint-react.xyz" sandbox="allow-popups" />;
}

Implementation

• Rule source
• Test source

Further Reading

• MDN: iframe sandbox

See Also

• no-missing-iframe-sandbox
  Enforces explicit sandbox attribute for iframe elements.
• no-unsafe-target-blank
  Prevents the use of target="_blank" without rel="noreferrer noopener".