javascript-url¶

Added in NEXT_DJANGOFMT_VERSION · Related issues · View source

What it does¶

Checks for javascript: URLs in HTML elements.

Why is this bad?¶

javascript: URLs execute arbitrary code when the element is activated. Any data interpolated into the URL becomes executable, which can allow cross-site scripting (XSS) attacks. The pattern also bypasses Content Security Policy script-src directives. Use a real URL and attach behavior with an event handler instead.

Example¶

<a href="javascript:alert('Hello, world!')">Click me</a>

Use instead:

<button id="btn">Click me</button>
<script>
  document.getElementById("btn").addEventListener("click", () => {
    alert("Hello, world!");
  });
</script>

References¶

• MDN: javascript: URLs