noScriptUrl
¥Summary
-
规则生效日期:
v2.3.9¥Rule available since:
v2.3.9 -
¥Diagnostic Category:
lint/nursery/noScriptUrl -
此规则没有修复方案。
¥This rule doesn’t have a fix.
-
此规则的默认严重级别为 error。
¥The default severity of this rule is error.
-
来源:
¥Sources:
-
与
no-script-url相同¥Same as
no-script-url -
¥Same as
react/jsx-no-script-url -
¥Same as
qwik/jsx-no-script-url -
¥Same as
solid/jsx-no-script-url -
与
@eslint-react/dom-no-script-url相同¥Same as
@eslint-react/dom-no-script-url
-
¥How to configure
{ "linter": { "rules": { "nursery": { "noScriptUrl": "error" } } }}¥Description
禁止在 HTML 中使用 javascript: URL。
¥Disallow javascript: URLs in HTML.
使用 javascript: URL 被视为一种 eval 形式,可能存在安全风险。这些 URL 可以执行任意 JavaScript 代码,这可能导致跨站脚本 (XSS) 漏洞。
¥Using javascript: URLs is considered a form of eval and can be a security risk.
These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.
¥Examples
¥Invalid
<a href="javascript:void(0)">Click me</a>code-block.html:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:void(0)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
<a href="javascript:alert('XSS')">Click me</a>code-block.html:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:alert(‘XSS’)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
¥Valid
<a href="https://example.com">Click me</a><a href="/path/to/page">Click me</a><a href="#section">Click me</a><span href="javascript:void(0)">Not a real href</span>¥Related links
¥Summary
-
规则生效日期:
v2.3.9¥Rule available since:
v2.3.9 -
¥Diagnostic Category:
lint/nursery/noScriptUrl -
此规则没有修复方案。
¥This rule doesn’t have a fix.
-
此规则的默认严重级别为 error。
¥The default severity of this rule is error.
-
来源:
¥Sources:
-
与
no-script-url相同¥Same as
no-script-url -
¥Same as
react/jsx-no-script-url -
¥Same as
qwik/jsx-no-script-url -
¥Same as
solid/jsx-no-script-url -
与
@eslint-react/dom-no-script-url相同¥Same as
@eslint-react/dom-no-script-url
-
¥How to configure
{ "linter": { "rules": { "nursery": { "noScriptUrl": "error" } } }}¥Description
禁止使用 javascript: URL。
¥Disallow javascript: URLs.
使用 javascript: URL 被视为一种 eval 形式,可能存在安全风险。这些 URL 可以执行任意 JavaScript 代码,这可能导致跨站脚本 (XSS) 漏洞。
¥Using javascript: URLs is considered a form of eval and can be a security risk.
These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.
¥Examples
¥Invalid
<a href="javascript:void(0)">Click me</a>code-block.jsx:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:void(0)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
<a href="javascript:alert('XSS')">Click me</a>code-block.jsx:1:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ <a href=“javascript:alert(‘XSS’)“>Click me</a>
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
React.createElement('a', { href: 'javascript:void(0)' });code-block.js:1:34 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Avoid using javascript: URLs, as they can be a security risk.
> 1 │ React.createElement(‘a’, { href: ‘javascript:void(0)’ });
│ ^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
ℹ Consider using regular URLs, or if you need to handle click events, use event handlers instead.
¥Valid
<a href="https://example.com">Click me</a><a href="/path/to/page">Click me</a><a href="#section">Click me</a>¥Related links
Biome v2.1 中文网 - 粤ICP备13048890号