Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.output-encoding

Avoid `javascript:` URLs

Do not use `javascript:` URLs in string literals, template literals, or JSX link attributes.

#Metadata

Rule ID
ts.security.no-javascript-url
Severity
high
Confidence
0.94
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
rules-catalog, security, xss

#Why it matters

`javascript:` URLs execute attacker-controlled code when used as navigation targets.

#Remediation

Use safe HTTPS links, in-app handlers, or explicit event callbacks instead of `javascript:` URLs.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.no-javascript-url.rule.yaml.

Back to directoryOpen rule in repository