Skip to main content

no-location-javascript-url

Disallow javascript: URLs in location-like navigation sinks.

Targeted pattern scopeโ€‹

Location/open navigation sinks assigned javascript: URLs.

What this rule reportsโ€‹

Assignments and calls that pass javascript: URL strings into navigation sinks.

Why this rule existsโ€‹

javascript: URL execution is a classic DOM XSS sink and should be blocked in modern code.

โŒ Incorrectโ€‹

window.location.href = "javascript:alert(1)";

โœ… Correctโ€‹

window.location.href = "https://example.com";

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },

rules: {
"sdl/no-location-javascript-url": "error",
},
},
];

When not to use itโ€‹

Disable only for legacy code that cannot yet migrate away from javascript: URLs and has explicit security review sign-off.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R042