Rules
no-unsafe-iframe-sandbox
Enforces that the 'sandbox' attribute for 'iframe' elements is not set to unsafe combinations.
Full Name in eslint-plugin-react-dom
react-dom/no-unsafe-iframe-sandboxFull Name in @eslint-react/eslint-plugin
@eslint-react/dom-no-unsafe-iframe-sandboxPresets
strict
strict-typescript
strict-type-checked
Rule Details
This rule reports cases where the attribute contains allow-scripts and allow-same-origin at the same time, as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.
Common Violations
Invalid
function MyComponent() {
return (
<iframe
src="https://eslint-react.xyz"
sandbox="allow-scripts allow-same-origin"
/>
);
}Valid
function MyComponent() {
return <iframe src="https://eslint-react.xyz" sandbox="allow-popups" />;
}Resources
Further Reading
See Also
react-dom/no-missing-iframe-sandbox
Enforces an explicitsandboxattribute foriframeelements.react-dom/no-unsafe-target-blank
Disallowstarget="_blank"withoutrel="noreferrer noopener".