Disallow javascript: URLs. This rule is an error by default.
See this issue for rationale.
These snippets cause lint errors.
let el = <a href="javascript:alert('hacked!')" />;
let el = <Link to="javascript:alert('hacked!')" />;
let el = <Foo bar="javascript:alert('hacked!')" />;
const link = "javascript:alert('hacked!')";
let el = <a href={link} />;
const link = "\tj\na\tv\na\ts\nc\tr\ni\tpt:alert('hacked!')";
let el = <a href={link} />;
const link = "javascrip" + "t:alert('hacked!')";
let el = <a href={link} />;
These snippets don't cause lint errors.
let el = <a href="https://example.com" />;
let el = <Link to="https://example.com" />;
let el = <Foo bar="https://example.com" />;
const link = "https://example.com";
let el = <a href={link} />;