New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/clickjacking-redirect-risk

A redirect target taken from caller input, or a privileged page that allows untrusted framing, lets attackers send users to malicious sites or trick them through clickjacking.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: production source files (.js/.ts/.tsx) or config/CI files; tests/build/docs/generated paths skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires in production source or config/CI files on four shapes: (1) a redirect(...) call whose argument is attacker-controllable caller input — a bare identifier/property referencing searchParams.get/nextUrl.searchParams/returnTo/callbackUrl/continue/next (open redirect); (2) an <iframe> whose markup within ~700 chars carries redirect/URL-param shapes like next=/continue=/redirect=/redirect_uri/role=/..; (3) a frame-ancestors * (or 'self' *) CSP; or (4) an X-Frame-Options: ALLOW… header. Comments are stripped first. FALSE POSITIVE to suppress: already exempted — a redirect keyword that appears only inside a string literal (e.g. redirect('/login?...continue...')) and a target already passed through a safe*/valid*/sanitiz*/allowlist/whitelist helper are skipped; a remaining FP is a next/returnTo value already validated against a same-origin or path allowlist before this redirect().

Fix prompt

Use this once validation confirms the diagnostic is real.

For redirects, validate the target against a strict allowlist of paths or origins (or force it relative: reject anything not starting with a single /, and reject //) before calling redirect(), ideally through one shared getSafeRedirectUrl() helper. For framing, set Content-Security-Policy: frame-ancestors 'self' (or specific trusted origins) on privileged pages and avoid X-Frame-Options: ALLOW…. Do not embed privileged flows in URL-driven <iframe>s or URL-prefilled dialogs.