# `react-doctor/svg-filter-clickjacking-risk`

Applying CSS or SVG filters over a cross-origin iframe can be used for clickjacking or to read pixels from framed content the attacker should not see.

- **Category:** Security
- **Severity:** warn
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** production source files (.js/.ts/.jsx/.tsx); test/scripts/docs/generated paths skipped

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires in production source when an `<iframe>` sits within ~700 characters of a CSS filter reference (`filter: url(#…)`, in either order) or an SVG filter primitive (`<feDisplacementMap>`, `<feColorMatrix>`, `<feComposite>`, `<feTile>`, `<feMorphology>`) near an iframe — the textual proximity used to build an SVG/CSS-filter clickjacking or visual-exfiltration primitive over an embedded frame. Detection is case-insensitive substring proximity, not real DOM scoping. FALSE POSITIVE: the iframe and the filter are unrelated code that merely happen to fall within the window (a filter applied to a chart/image elsewhere in the same file), or the iframe is same-origin first-party UI where filtering is intentional decoration — confirm the filter actually applies to a cross-origin or privileged frame.

## Fix prompt

Use this once validation confirms the diagnostic is real.

Do not apply CSS or SVG filters to cross-origin or privileged iframes; remove the `filter`/`fe*` primitive from the embedded frame's render path. Protect sensitive pages from being framed with `Content-Security-Policy: frame-ancestors 'self'` (or `'none'`) plus `X-Frame-Options`. Apply visual effects only to first-party content you control, never to embedded third-party UI.