no-location-javascript-url
Disallow javascript: URLs in location-like navigation sinks.
Targeted pattern scopeโ
Location/open navigation sinks assigned javascript: URLs.
What this rule reportsโ
Assignments and calls that pass javascript: URL strings into navigation sinks.
Why this rule existsโ
javascript: URL execution is a classic DOM XSS sink and should be blocked in modern code.
โ Incorrectโ
window.location.href = "javascript:alert(1)";
โ Correctโ
window.location.href = "https://example.com";
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-location-javascript-url": "error",
},
},
];
When not to use itโ
Disable only for legacy code that cannot yet migrate away from javascript: URLs and has explicit security review sign-off.
Package documentationโ
Further readingโ
Rule catalog ID: R042