JS-0421 @ cab3713 • QuackatronHQ / Gigarepo

Run summary

2 months ago

cab3713..cab3713

40 s

Found usage of deprecated javascript: URLs JS-0421

Bug risk

Critical

2 occurrences in this check

react

A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML, try using dangerouslySetInnerHTML instead

javascript/packages/demo-react/src/components/home.js

23      </ul>
24      <button>Login</button>
25      <SideBar />
26      <a href="javascript:void(0)" target="_blank" rel="noreferrer">27        FAQs
28      </a>
29    </>

A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML, try using dangerouslySetInnerHTML instead

javascript/packages/demo-react/src/components/hero.js

23      </ul>
24      <button>Login</button>
25      <SideBar />
26      <a href="javascript:void(0)" target="_blank" rel="noreferrer">27        FAQs
28      </a>
29    </>

Description

URLs starting with javascript: are a dangerous attack surface because it's easy to accidentally include the unsanitized output in a tag like <a href> and create a security hole for XSS. The developers can use the React event handlers e.g. onChange, onClick etc.

Bad Practice

<a href="javascript:"></a>
<a href="javascript:void(0)"></a>

References

Deprecating javascript: URLs

QuackatronHQ / Gigarepo

Bad Practice

Recommended

References