Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent usage of unsafe target='_blank' (react/jsx-no-target-blank) #1367

Closed
feross opened this issue Aug 15, 2019 · 1 comment

Comments

@feross
Copy link
Member

commented Aug 15, 2019

https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/jsx-no-target-blank.md

When creating a JSX element that has an a tag, it is often desired to have
the link open in a new tab using the target='_blank' attribute. Using this
attribute unaccompanied by rel='noreferrer noopener', however, is a severe
security vulnerability (see here for more details)
This rules requires that you accompany target='_blank' attributes with rel='noreferrer noopener'.

Rule Details

This rule aims to prevent user generated links from creating security vulnerabilities by requiring
rel='noreferrer noopener' for external links, and optionally any dynamically generated links.

The following patterns are considered errors:

var Hello = <a target='_blank' href="http://example.com/"></a>
var Hello = <a target='_blank' href={dynamicLink}></a>

The following patterns are not considered errors:

var Hello = <p target="_blank"></p>
var Hello = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>
var Hello = <a target="_blank" href="relative/path/in/the/host"></a>
var Hello = <a target="_blank" href="/absolute/path/in/the/host"></a>
var Hello = <a></a>

@feross feross added this to the standard 14 milestone Aug 15, 2019

@feross

This comment has been minimized.

Copy link
Member Author

commented Aug 15, 2019

Shipped in standard 14.

@feross feross closed this in c852a11 Aug 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
You can’t perform that action at this time.