No Script URL
Block javascript: URLs except explicitly allowed patterns because script URLs execute arbitrary code and are a common XSS vector.
Summary
The no-script-url rule reports any string literal whose value starts with javascript: unless it matches one of the allowed patterns.
Why Use This Rule?
- Prevents XSS vulnerabilities from
javascript:URLs that execute arbitrary code. - Makes dangerous patterns visible during code review instead of hiding in string values.
- Provides an
allowedPatternsescape hatch for cases wherejavascript:URLs are intentional.
Examples
Configuration
Options
warning
ignoreFiles is an escape hatch for files where this rule genuinely does not apply. It is not intended for routine use.
| Option | Type | Default | Description |
|---|---|---|---|
allowedPatterns | string[] | [] | Exact javascript: URLs to allow. |
ignoreFiles | string[] | [] | File patterns to skip. |
Autofix
Autofix is not available for this rule. Flagged code must be updated manually.
Troubleshooting
- Warning fires on
javascript:void(0)— Add'javascript:void(0)'to theallowedPatternsoption. - Template literals are not checked — The rule only inspects string literals. Dynamic
javascript:URLs built via template literals are not caught.