Rules
no-unsafe-iframe-sandbox
Full Name in eslint-plugin-react-dom
react-dom/no-unsafe-iframe-sandbox
Full Name in @eslint-react/eslint-plugin
@eslint-react/dom/no-unsafe-iframe-sandbox
Presets
dom
recommended
recommended-typescript
recommended-type-checked
Description
Enforces sandbox
attribute for iframe
elements is not set to unsafe combinations.
This rule reports cases where attribute contains allow-scripts
and allow-same-origin
at the same time as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.
Examples
Failing
import React from "react";
function MyComponent() {
return (
<iframe
src="https://eslint-react.xyz"
sandbox="allow-scripts allow-same-origin"
/>
);
}
Passing
import React from "react";
function MyComponent() {
return <iframe src="https://eslint-react.xyz" sandbox="allow-popups" />;
}
Implementation
Further Reading
See Also
no-missing-iframe-sandbox
Enforces explicitsandbox
attribute foriframe
elements.no-unsafe-target-blank
Prevents the use oftarget="_blank"
withoutrel="noreferrer noopener"
.