no-script-url

Rule category

Security.

What it does

Prevents usage of javascript: URLs as the value of certain attributes.

Why is this bad?

javascript: URLs are a form of XSS attack. They allow an attacker to execute arbitrary JavaScript in the context of your website, which can be used to steal user data, deface your website, or perform other malicious actions.

Examples

Failing

import React from "react";
 
function function Example(): React.JSX.ElementExample() {
  return <JSX.IntrinsicElements.a: React.DetailedHTMLProps<React.AnchorHTMLAttributes<HTMLAnchorElement>, HTMLAnchorElement>a React.AnchorHTMLAttributes<HTMLAnchorElement>.href?: string | undefinedhref="javascript:alert('Hello, world!')">Click me</JSX.IntrinsicElements.a: React.DetailedHTMLProps<React.AnchorHTMLAttributes<HTMLAnchorElement>, HTMLAnchorElement>a>;
  //        - Using a `javascript:` URL is a security risk and should be avoided.
}

Passing

import React from "react";
 
function function Example(): React.JSX.ElementExample() {
  return <JSX.IntrinsicElements.a: React.DetailedHTMLProps<React.AnchorHTMLAttributes<HTMLAnchorElement>, HTMLAnchorElement>a React.AnchorHTMLAttributes<HTMLAnchorElement>.href?: string | undefinedhref="/some-page">Click me</JSX.IntrinsicElements.a: React.DetailedHTMLProps<React.AnchorHTMLAttributes<HTMLAnchorElement>, HTMLAnchorElement>a>;
}

dom/no-render-return-value dom/no-unsafe-iframe-sandbox