react/jsx-no-script-url Suspicious β
What it does β
Disallow usage of javascript: URLs
Why is this bad? β
URLs starting with javascript: are a dangerous attack surface because itβs easy to accidentally include unsanitized output in a tag like <a href> and create a security hole. In React 16.9 any URLs starting with javascript: scheme log a warning. In a future major release, React will throw an error if it encounters a javascript: URL.
Examples β
Examples of incorrect code for this rule:
jsx
<a href="javascript:void(0)">Test</a>Examples of correct code for this rule:
jsx
<Foo test="javascript:void(0)" />How to use β
To enable this rule in the CLI or using the config file, you can use:
bash
oxlint --deny react/jsx-no-script-urljson
{
"rules": {
"react/jsx-no-script-url": "error"
}
}