no-script-src-data-url
Disallow HTMLScriptElement.src values that use data: URLs.
Targeted pattern scopeโ
This rule targets static data: URLs assigned to script src sinks such as
script.src = ..., script.setAttribute("src", ...), and JSX
<script src=...>.
What this rule reportsโ
This rule reports data: URLs only when they are written into script-loading
sinks. It does not report non-script uses such as img.src = "data:...".
Why this rule existsโ
A data: URL in a script-loading sink embeds executable code directly in the
URL itself. That bypasses the usual reviewed external-script loading path and
makes it easier to smuggle code through values that look like plain strings.
โ Incorrectโ
const script = document.createElement("script");
script.src = "data:text/javascript,alert('owned')";
const loader = <script src="data:text/javascript,bootstrap()" />;
โ Correctโ
const script = document.createElement("script");
script.src = "https://cdn.example.com/app.js";
const image = new Image();
image.src = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA";
Behavior and migration notesโ
This rule intentionally focuses on script src sinks and does not attempt to
analyze other executable loading surfaces such as workers.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-script-src-data-url": "error",
},
},
];
When not to use itโ
If your codebase intentionally relies on data: script URLs and that behavior
is acceptable in your threat model, this rule may be too strict.
Package documentationโ
Further readingโ
Rule catalog ID: R063