noScriptUrl
Summary
Section titled “Summary”- Rule available since:
v2.3.9 - Diagnostic Category:
lint/nursery/noScriptUrl - This rule doesn’t have a fix.
- The default severity of this rule is error.
- Sources:
- Same as
no-script-url - Same as
react/jsx-no-script-url - Same as
qwik/jsx-no-script-url - Same as
solid/jsx-no-script-url - Same as
@eslint-react/dom-no-script-url
- Same as
How to configure
Section titled “How to configure”{ "linter": { "rules": { "nursery": { "noScriptUrl": "error" } } }}Description
Section titled “Description”Disallow javascript: URLs in HTML.
Using javascript: URLs is considered a form of eval and can be a security risk. These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.
Examples
Section titled “Examples”Invalid
Section titled “Invalid”<a href="javascript:void(0)">Click me</a>code-block.html:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:void(0)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
<a href="javascript:alert('XSS')">Click me</a>code-block.html:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:alert(‘XSS’)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
<a href="https://example.com">Click me</a><a href="/path/to/page">Click me</a><a href="#section">Click me</a><span href="javascript:void(0)">Not a real href</span>Related links
Section titled “Related links”Summary
Section titled “Summary”- Rule available since:
v2.3.9 - Diagnostic Category:
lint/nursery/noScriptUrl - This rule doesn’t have a fix.
- The default severity of this rule is error.
- Sources:
- Same as
no-script-url - Same as
react/jsx-no-script-url - Same as
qwik/jsx-no-script-url - Same as
solid/jsx-no-script-url - Same as
@eslint-react/dom-no-script-url
- Same as
How to configure
Section titled “How to configure”{ "linter": { "rules": { "nursery": { "noScriptUrl": "error" } } }}Description
Section titled “Description”Disallow javascript: URLs.
Using javascript: URLs is considered a form of eval and can be a security risk. These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.
Examples
Section titled “Examples”Invalid
Section titled “Invalid”<a href="javascript:void(0)">Click me</a>code-block.jsx:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:void(0)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
<a href="javascript:alert('XSS')">Click me</a>code-block.jsx:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:alert(‘XSS’)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
React.createElement('a', { href: 'javascript:void(0)' });code-block.js:1:34 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ React.createElement(‘a’, { href: ‘javascript:void(0)’ });
│ ^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
<a href="https://example.com">Click me</a><a href="/path/to/page">Click me</a><a href="#section">Click me</a>Related links
Section titled “Related links”Sponsored by
Copyright (c) 2023-present Biome Developers and Contributors.