(url: T)
| 20 | /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i; |
| 21 | |
| 22 | function sanitizeURL<T>(url: T): T | string { |
| 23 | // We should never have symbols here because they get filtered out elsewhere. |
| 24 | // eslint-disable-next-line react-internal/safe-string-coercion |
| 25 | if (isJavaScriptProtocol.test('' + (url: any))) { |
| 26 | // Return a different javascript: url that doesn't cause any side-effects and just |
| 27 | // throws if ever visited. |
| 28 | // eslint-disable-next-line no-script-url |
| 29 | return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')"; |
| 30 | } |
| 31 | return url; |
| 32 | } |
| 33 | |
| 34 | export default sanitizeURL; |
no test coverage detected