MCPcopy
hub / github.com/facebook/react / sanitizeURL

Function sanitizeURL

packages/react-dom-bindings/src/shared/sanitizeURL.js:22–32  ·  view source on GitHub ↗
(url: T)

Source from the content-addressed store, hash-verified

20 /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
21
22function sanitizeURL<T>(url: T): T | string {
23 // We should never have symbols here because they get filtered out elsewhere.
24 // eslint-disable-next-line react-internal/safe-string-coercion
25 if (isJavaScriptProtocol.test('' + (url: any))) {
26 // Return a different javascript: url that doesn't cause any side-effects and just
27 // throws if ever visited.
28 // eslint-disable-next-line no-script-url
29 return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
30 }
31 return url;
32}
33
34export default sanitizeURL;

Callers 9

setPropFunction · 0.85
coerceFormActionPropFunction · 0.85
pushAttributeFunction · 0.85
pushStartObjectFunction · 0.85

Calls 1

testMethod · 0.45

Tested by

no test coverage detected