Skip to main content

no-script-src-data-url

Disallow HTMLScriptElement.src values that use data: URLs.

Targeted pattern scopeโ€‹

This rule targets static data: URLs assigned to script src sinks such as script.src = ..., script.setAttribute("src", ...), and JSX <script src=...>.

What this rule reportsโ€‹

This rule reports data: URLs only when they are written into script-loading sinks. It does not report non-script uses such as img.src = "data:...".

Why this rule existsโ€‹

A data: URL in a script-loading sink embeds executable code directly in the URL itself. That bypasses the usual reviewed external-script loading path and makes it easier to smuggle code through values that look like plain strings.

โŒ Incorrectโ€‹

const script = document.createElement("script");
script.src = "data:text/javascript,alert('owned')";
const loader = <script src="data:text/javascript,bootstrap()" />;

โœ… Correctโ€‹

const script = document.createElement("script");
script.src = "https://cdn.example.com/app.js";
const image = new Image();
image.src = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA";

Behavior and migration notesโ€‹

This rule intentionally focuses on script src sinks and does not attempt to analyze other executable loading surfaces such as workers.

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-script-src-data-url": "error",
},
},
];

When not to use itโ€‹

If your codebase intentionally relies on data: script URLs and that behavior is acceptable in your threat model, this rule may be too strict.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R063