]>
Commit | Line | Data |
---|---|---|
eb39fafa DC |
1 | # Disallow Script URLs (no-script-url) |
2 | ||
3 | Using `javascript:` URLs is considered by some as a form of `eval`. Code passed in `javascript:` URLs has to be parsed and evaluated by the browser in the same way that `eval` is processed. | |
4 | ||
5 | ## Rule Details | |
6 | ||
7 | Examples of **incorrect** code for this rule: | |
8 | ||
9 | ```js | |
10 | /*eslint no-script-url: "error"*/ | |
11 | ||
12 | location.href = "javascript:void(0)"; | |
6f036462 TL |
13 | |
14 | location.href = `javascript:void(0)`; | |
eb39fafa DC |
15 | ``` |
16 | ||
17 | ## Compatibility | |
18 | ||
19 | * **JSHint**: This rule corresponds to `scripturl` rule of JSHint. | |
20 | ||
21 | ## Further Reading | |
22 | ||
23 | * [What is the matter with script-targeted URLs?](https://stackoverflow.com/questions/13497971/what-is-the-matter-with-script-targeted-urls) |