no-unsafe-target-blank

Full Name in eslint-plugin-react-dom

react-dom/no-unsafe-target-blank

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom-no-unsafe-target-blank

Features

🔧

Presets

strict strict-typescript strict-type-checked

Rule Details

When using target="_blank" on links without rel="noreferrer noopener", the opened page can access the window.opener property of the original page, which creates a security vulnerability known as tabnabbing.

Common Violations

Invalid

function MyComponent() {
  return (
    <a href="https://eslint-react.xyz" target="_blank">
      Example
    </a>
  );
}

Valid

function MyComponent() {
  return (
    <a href="https://eslint-react.xyz" target="_blank" rel="noreferrer noopener">
      Example
    </a>
  );
}

Resources

• Rule Source
• Test Source

Further Reading

• MDN: target
• MDN: rel
• MDN: Window.opener

See Also

• react-dom/no-unsafe-iframe-sandbox
  Enforces that the sandbox attribute for iframe elements is not set to unsafe combinations.