Skip to content
Branch: master
Find file Copy path
Find file Copy path
6 contributors

Users who have contributed to this file

@jeddy3 @ZacharyRSmith @CAYdenberg @evilebottnawi @davidtheclark @BenjaminWFox
67 lines (46 sloc) 1.47 KB


Specify a whitelist of allowed URL schemes.

a { background-image: url(''); }
/**                        ↑
 *           This URL scheme */

A URL scheme consists of alphanumeric, +, -, and . characters. It can appear at the start of a URL and is followed by :.

This rule ignores:

  • URL arguments without an existing URL scheme
  • URL arguments with variables or variable interpolation ($sass, @less, --custom-property, #{$var}, @{var}, $(var))


array|string|regex: ["array", "of", /schemes/ or "/regex/"]|"scheme"|/regex/


["data", "/^http/"]

The following patterns are considered violations:

a { background-image: url('file://file.jpg'); }

The following patterns are not considered violations:

a { background-image: url(''); }
a { background-image: url('/'); }
a { background-image: url('//'); }
a { background-image: url('./path/to/file.jpg'); }
a { background-image: url(''); }
a { background-image: url(''); }
a { background-image: url('HTTPS://'); }
a { background-image: url('data:image/gif;base64,R0lGODlhAQABAIAAAAUEBAAAACwAAAAAAQABAAACAkQBADs='); }
You can’t perform that action at this time.