Ask questionsFalse-positive security precaution warning (`javascript:` URLs)

Do you want to request a feature or report a bug?

Report a bug.

What is the current behavior? React 16.9.0 deprecates javascript: URLs (@sebmarkbage in #15047). It was motivated by preventing XSS vulnerability that can be used by injecting client-side scripts:

<a href={url}>Unsafe Link</a>

The following code cannot be exploited by attackers, it cannot be used to inject XSS:

<a href="javascript:void(0)">Safe Link</a>

React 16.9 reports the security precaution warning for the example:

Warning: A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML try using dangerouslySetInnerHTML instead. React was passed "javascript:void(0)".

Edit determined-rgb-sws4g

What is the expected behavior?

I would expected that security precaution warnings aren't reported for values that cannot be controlled by attackers.

There were also concerns regarding common patterns like javascript:void(0), see @gaearon comment:

Especially javascript:void(0) seems like it's still pretty common because it's copy pasted from old samples etc. Is it dangerous to whitelist that one? Is it a vector by itself?

If there're tons of reported security issues, you definitely ignore something important.

For reference: Angular’s cross-site scripting security model

Which versions of React, and which browser / OS are affected by this issue? Did this work in previous versions of React?

React 16.9.0 is affected. 16.8.6 doesn't report the warning.


Answer questions feng-fu

Same warning, i use <a href="javascript:;"></a> as button in many component. I just think it is correct.


Related questions

Disable react strict mode on third party libraries hot 7
Warning: Unknown DOM property for. Did you mean htmlFor? hot 6
TypeError: Object(...) is not a function
Refs - &#34;object is not extensible&#34;
React@16.9 block `javascript:void(0);`
Warning: validateDOMNesting(...): <tr> cannot appear as a child of <table> hot 3
"DevTools v4 is incompatible with this version of React" with React Native & latest version of React hot 3
Feedback on useEffect depndencies change error hot 3
[ESLint] Feedback for 'exhaustive-deps' lint rule hot 3
React custom hook "Should have a queue. This is likely a bug in React" error message. hot 2
useEffect causes 'callback is not a function' exception hot 2
DevTools: Updating state or props in devtools does not trigger component update. hot 2
Infinite loop in useEffect using blank object or array hot 2
Error on unit test : Cannot read property 'Symbol(Symbol.iterator)' of undefined hot 2
Hooks API - hook breaks when exported from module hot 2
Github User Rank List