Prevent usage of `javascript:` URLs (react/jsx-no-script-url)

In React 16.9 any URLs starting with javascript: scheme log a warning. React considers the pattern as a dangerous attack surface, see details. In a future major release, React will throw an error if it encounters a javascript: URL.

Rule Details

The following patterns are considered warnings:

<a href="javascript:"></a>
<a href="javascript:void(0)"></a>
<a href="j\n\n\na\rv\tascript:"></a>

The following patterns are not considered warnings:

<Foo href="javascript:"></Foo>
<a href={"javascript:"}></a>

Rule Options

{
  "react/jsx-no-script-url": [
    "error",
    [
      {
        "name": "Link",
        "props": ["to"]
      },
      {
        "name": "Foo",
        "props": ["href", "to"]
      }
    ]
  ]
}

Allows you to indicate a specific list of properties used by a custom component to be checked.

name

Component name.

props

List of properties that should be validated.

The following patterns are considered warnings with the options listed above:

<Link to="javascript:void(0)"></Link>
<Foo href="javascript:void(0)"></Foo>
<Foo to="javascript:void(0)"></Foo>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

jsx-no-script-url.md

jsx-no-script-url.md

Prevent usage of `javascript:` URLs (react/jsx-no-script-url)

Rule Details

Rule Options

name

props

Files

jsx-no-script-url.md

Latest commit

History

jsx-no-script-url.md

File metadata and controls

Prevent usage of javascript: URLs (react/jsx-no-script-url)

Rule Details

Rule Options

name

props

Prevent usage of `javascript:` URLs (react/jsx-no-script-url)