Skip to main content

react_auditor/rules/security/
no_script_url.rs

1use oxc_ast::ast::{Program, StringLiteral};
2use oxc_ast_visit::Visit;
3use oxc_semantic::Semantic;
4
5use crate::rules::{Rule, RuleFinding, RuleMeta, Severity};
6
7pub struct NoScriptUrl;
8
9const RULE_META: RuleMeta = RuleMeta {
10    id: "no-script-url",
11    default_severity: Severity::Error,
12    category: "security",
13    description: "No `javascript:` URLs in links",
14};
15
16impl Rule for NoScriptUrl {
17    fn meta(&self) -> &RuleMeta {
18        &RULE_META
19    }
20
21    fn run(&self, program: &Program, _semantic: &Semantic, source_text: &str) -> Vec<RuleFinding> {
22        let mut collector = ScriptUrlCollector {
23            findings: Vec::new(),
24            source: source_text,
25        };
26        collector.visit_program(program);
27        collector.findings
28    }
29}
30
31struct ScriptUrlCollector<'a> {
32    findings: Vec<RuleFinding>,
33    source: &'a str,
34}
35
36impl<'a> Visit<'a> for ScriptUrlCollector<'a> {
37    fn visit_string_literal(&mut self, s: &StringLiteral) {
38        let val = s.value.as_str();
39        if val.to_lowercase().starts_with("javascript:") {
40            let start = s.span.start as usize;
41            let line = self.source[..start].lines().count().max(1);
42            let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);
43            self.findings.push(RuleFinding {
44                line,
45                column: col + 1,
46                message: "Unexpected `javascript:` URL — security risk".to_string(),
47            });
48        }
49    }
50
51    fn visit_jsx_opening_element(&mut self, el: &oxc_ast::ast::JSXOpeningElement<'a>) {
52        for attr_item in &el.attributes {
53            if let oxc_ast::ast::JSXAttributeItem::Attribute(attr) = attr_item
54                && let Some(val) = &attr.value
55                && let oxc_ast::ast::JSXAttributeValue::StringLiteral(s) = val
56                && s.value.as_str().to_lowercase().starts_with("javascript:")
57            {
58                let start = attr.span.start as usize;
59                let line = self.source[..start].lines().count().max(1);
60                let col = start - self.source[..start].rfind('\n').map(|i| i + 1).unwrap_or(0);
61                self.findings.push(RuleFinding {
62                    line,
63                    column: col + 1,
64                    message: "Unexpected `javascript:` URL in JSX attribute — security risk"
65                        .to_string(),
66                });
67            }
68        }
69    }
70}