In React 16.9 any URLs starting with javascript: scheme log a warning.
React considers the pattern as a dangerous attack surface, see details.
In a future major release, React will throw an error if it encounters a javascript: URL.
Examples of incorrect code for this rule:
<a href="javascript:"></a>
<a href="javascript:void(0)"></a>
<a href="j\n\n\na\rv\tascript:"></a>Examples of correct code for this rule:
<Foo href="javascript:"></Foo>
<a href={"javascript:"}></a>This rule takes the linkComponents setting into account.
This rule accepts array option (optional) and object option (optional).
{
"react/jsx-no-script-url": [
"error",
[
{
"name": "Link",
"props": ["to"]
},
{
"name": "Foo",
"props": ["href", "to"]
}
]
]
}Allows you to indicate a specific list of properties used by a custom component to be checked.
Component name.
List of properties that should be validated.
Examples of incorrect code for this rule, when configured with the above options:
<Link to="javascript:void(0)"></Link>
<Foo href="javascript:void(0)"></Foo>
<Foo to="javascript:void(0)"></Foo>Indicates if the linkComponents config in global shared settings should also be taken into account. If enabled, components and properties defined in settings will be added to the list provided in first option (if provided):
{
"react/jsx-no-script-url": [
"error",
[
{
"name": "Link",
"props": ["to"]
},
{
"name": "Foo",
"props": ["href", "to"]
}
],
{ "includeFromSettings": true }
]
}If only global settings should be used for this rule, the array option can be omitted:
{
// same as ["error", [], { "includeFromSettings": true }]
"react/jsx-no-script-url": ["error", { "includeFromSettings": true }]
}