A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML, try using dangerouslySetInnerHTML instead
23 </ul>
24 <button>Login</button>
25 <SideBar />
26 <a href="javascript:void(0)" target="_blank" rel="noreferrer">27 FAQs
28 </a>
29 </>
A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML, try using dangerouslySetInnerHTML instead
23 </ul>
24 <button>Login</button>
25 <SideBar />
26 <a href="javascript:void(0)" target="_blank" rel="noreferrer">27 FAQs
28 </a>
29 </>
Description
URLs starting with javascript:
are a dangerous attack surface because it's easy to accidentally include the unsanitized output in a tag like <a href>
and create a security hole for XSS.
The developers can use the React event handlers e.g. onChange
, onClick
etc.
Bad Practice
<a href="javascript:"></a>
<a href="javascript:void(0)"></a>
Recommended
<a href="https://www.website.com">text</a>
<div onClick={handleClick}></div>