SEC002 · javascript: URL
Severity: warning · Category: security
What it checks
Section titled “What it checks”Flags an element attribute (href / src / action / formaction) whose literal value starts with javascript:. Dynamic values are not checked.
Why it matters
Section titled “Why it matters”A javascript: URL executes arbitrary script on activation — an XSS / unsafe-navigation vector that also breaks under a strict Content-Security-Policy.
How to fix
Section titled “How to fix”Use an event handler or a real URL:
<!-- Instead of <a href="javascript:doThing()"> --><button type="button" onclick={doThing}>Do thing</button>