scriptUrls
Reports
javascript:URLs that can act as a form of eval.
✅ This rule is included in the browser logical preset.
Using javascript: URLs is a form of eval.
Code passed in javascript: URLs is parsed and evaluated by the browser in the same way that eval is processed.
This can lead to security vulnerabilities and is generally considered bad practice.
Use event handlers or proper JavaScript functions instead of javascript: URLs.
Examples
Section titled “Examples”location.href = "javascript:void(0)";const url = "javascript:alert('XSS')";const link = `javascript:void(0)`;window.location = "javascript:doSomething()";const url = "https://example.com";const url = "http://example.com";const url = "/page";const data = "data:text/plain;base64,SGVsbG8=";When Not To Use It
Section titled “When Not To Use It”If your project is internal-facing only and already uses javascript: URLs as a core design pattern, it might be difficult to enable this rule.
Further Reading
Section titled “Further Reading”Equivalents in Other Linters
Section titled “Equivalents in Other Linters”- ESLint:
no-script-url - Oxlint:
eslint/no-script-url
Made with ❤️🔥 in Boston by
Josh Goldberg and contributors.