react/jsx-no-script-url Suspicious

🚧 An auto-fix is still under development.

What it does

Disallow usage of javascript: URLs

Why is this bad?

URLs starting with javascript: are a dangerous attack surface because it’s easy to accidentally include unsanitized output in a tag like <a href> and create a security hole. In React 16.9 any URLs starting with javascript: scheme log a warning. In a future major release, React will throw an error if it encounters a javascript: URL.

Examples

Examples of incorrect code for this rule:

<a href="javascript:void(0)">Test</a>;

Examples of correct code for this rule:

<Foo test="javascript:void(0)" />;

How to use

To enable this rule in the CLI or using the config file, you can use:

CLI

oxlint --deny react/jsx-no-script-url --react-plugin

Config (.oxlintrc.json)

{
  "plugins": ["react"],
  "rules": {
    "react/jsx-no-script-url": "error"
  }
}

References

• Rule Source