Skip to content

SEC002 · javascript: URL

Severity: warning · Category: security

Flags an element attribute (href / src / action / formaction) whose literal value starts with javascript:. Dynamic values are not checked.

A javascript: URL executes arbitrary script on activation — an XSS / unsafe-navigation vector that also breaks under a strict Content-Security-Policy.

Use an event handler or a real URL:

<!-- Instead of <a href="javascript:doThing()"> -->
<button type="button" onclick={doThing}>Do thing</button>