React Security
Detects React-specific security issues: dangerouslySetInnerHTML, href javascript:, target=_blank without noopener.
React escapes most DOM strings automatically, but escape hatches like dangerouslySetInnerHTML, javascript:-protocol URLs, and target="_blank" without rel="noopener" recreate the security holes the framework prevents elsewhere. This analysis flags every such escape hatch so each can be reviewed.
Severity guide
- info
- A signal worth being aware of but not requiring action.
- warning
- A pattern likely to cause subtle bugs or performance issues; refactor recommended.
- critical
- A pattern actively breaking expected behavior or contracts; fix immediately.
Remediation
Address the flagged pattern; the message field describes the specific instance.
Review the issue location and apply the React/Next.js best practice for the pattern. Each emission carries enough context to act on directly.