docs(linter): Improve docs for react/jsx-no-script-url rule.#16817
docs(linter): Improve docs for react/jsx-no-script-url rule.#16817graphite-app[bot] merged 1 commit intomainfrom
react/jsx-no-script-url rule.#16817Conversation
github-actions
bot
added
A-linter
There was a problem hiding this comment.
Pull request overview
This PR updates the react/jsx-no-script-url linter rule to reflect that React 19 now blocks javascript: URLs entirely, rather than warning about a "future version" doing so. The diagnostic messages are made more discouraging of dangerouslySetInnerHTML usage, and the documentation is updated with a reference to the React 19 upgrade guide.
- Updates diagnostic warning message to state React 19 blocks
javascript:URLs (not "future version") - Makes help message more discouraging by changing "If you need to" to "If you absolutely need to" and "try using" to "consider"
- Updates documentation to reference React 19 specifically with link to upgrade guide
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
crates/oxc_linter/src/rules/react/jsx_no_script_url.rs |
Updates diagnostic messages to reference React 19 specifically, improves documentation with historical context and external link, cleans up test JSON formatting |
crates/oxc_linter/src/snapshots/react_jsx_no_script_url.snap |
Updates snapshot to reflect new diagnostic and help messages |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![charliecreates[bot]](https://avatars.githubusercontent.com/in/1140780?s=60&v=4){kind=small}
There was a problem hiding this comment.
The main concern is the security guidance in the diagnostic help: it may still be read as recommending dangerouslySetInnerHTML as an alternative, which is risky for an XSS-related rule. Tightening the wording to more explicitly discourage it (and mention sanitization/trusted input if referenced) would better align the rule’s intent. Everything else in the diff is straightforward doc/snapshot alignment.
Summary of changes
Summary
This diff updates the react/jsx-no-script-url rule messaging and documentation to align with React 19 behavior:
- Diagnostic text updated from “a future version of React…” to “React 19 blocks
javascript:URLs…”. - Help text clarified to recommend event handlers and to more strongly caution around using
dangerouslySetInnerHTML. - Rule docs refreshed in
declare_oxc_lint!:- Reformatted/expanded rationale.
- Added a link to the React 19 upgrade guide stating
javascript:URLs are disallowed.
- Tests and snapshots updated to reflect new messaging and minor JSON formatting changes in test cases.
Files touched:
crates/oxc_linter/src/rules/react/jsx_no_script_url.rscrates/oxc_linter/src/snapshots/react_jsx_no_script_url.snap
CodSpeed Performance ReportMerging #16817 will not alter performanceComparing Summary
Footnotes
|
Merge activity
|
React 19 disallows `javascript:` URLs entirely, so I have updated the docs accordingly. See https://react.dev/blog/2024/04/25/react-19-upgrade-guide#other-breaking-changes Also, remove `dangerouslySetInnerHTML` from the help message. It doesn't seem worth risking people using it by suggesting that.
graphite-app
bot
force-pushed
the
docs-jsx-script
branch
from
a117535 to
e8369ef
Compare
React 19 disallows
javascript:URLs entirely, so I have updated the docs accordingly. See https://react.dev/blog/2024/04/25/react-19-upgrade-guide#other-breaking-changesAlso, remove
dangerouslySetInnerHTMLfrom the help message. It doesn't seem worth risking people using it by suggesting that.