New
Introducing React Doctor for Enterprise

react/jsx-no-script-url

Disallow javascript: URLs in href — they execute arbitrary code, and React 19 throws on them.

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires on DOM <a>, <area>, and <link> elements (plus components added via the components option) whose href is a string literal starting with javascript: — including obfuscated forms with whitespace or escape characters interleaved inside the scheme name. React 16.9+ warns; React 19 throws entirely. False positive: a non-anchor custom component like <Foo href="javascript:void(0)" /> not in the configured components list is intentionally ignored.

Fix prompt

Use this once validation confirms the diagnostic is real.

Replace href="javascript:void(0)" with a real <button type="button" onClick={handler}> when triggering an action, or with the router's navigation primitive when changing routes. Never use an anchor as a clickable shell — buttons are accessible by default and don't need preventDefault tricks. See https://oxc.rs/docs/guide/usage/linter/rules/react/jsx-no-script-url.html and https://react.dev/blog/2024/04/25/react-19-upgrade-guide#other-breaking-changes

More Correctness rules from the rules reference:

  • react/no-children-prop: Disallow passing children as an explicit prop — nest content between the opening and closing tags instead.
  • react/no-danger: Flag dangerouslySetInnerHTML — raw HTML injection bypasses JSX escaping and invites cross-site scripting.
  • react/no-direct-mutation-state: Disallow mutating this.state directly in class components — use setState so React schedules a re-render.
  • react/no-is-mounted: Disallow the removed legacy isMounted() API — cancel async work instead of guarding setState.
  • react/no-render-return-value: Disallow using the return value of ReactDOM.render — a legacy escape hatch removed in React 19.