feat: implement noScriptUrl rule (#8232)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Carson McManus <[email protected]>
Co-authored-by: Emanuele Stoppa <[email protected]>
Co-authored-by: Maikel van Dort <[email protected]>

Author: 5 people

.changeset/add-no-script-url-rule.md

@@ -0,0 +1,10 @@
+---
+"@biomejs/biome": patch
+---
+Added the nursery rule [`noScriptUrl`](https://biomejs.dev/linter/rules/no-script-url/).
+
+This rule disallows the use of `javascript:` URLs, which are considered a form of `eval` and can pose security risks such as XSS vulnerabilities.
+
+```jsx
+<a href="javascript:alert('XSS')">Click me</a>
+```

crates/biome_cli/src/execute/migrate/eslint_any_rule_to_biome.rs

@@ -253,6 +253,7 @@ define_categories! {
     "lint/security/noDangerouslySetInnerHtml": "https://biomejs.dev/linter/rules/no-dangerously-set-inner-html",
     "lint/security/noDangerouslySetInnerHtmlWithChildren": "https://biomejs.dev/linter/rules/no-dangerously-set-inner-html-with-children",
     "lint/security/noGlobalEval": "https://biomejs.dev/linter/rules/no-global-eval",
+    "lint/nursery/noScriptUrl": "https://biomejs.dev/linter/rules/no-script-url",
     "lint/security/noSecrets": "https://biomejs.dev/linter/rules/no-secrets",
     "lint/style/noCommonJs": "https://biomejs.dev/linter/rules/no-common-js",
     "lint/style/noDefaultExport": "https://biomejs.dev/linter/rules/no-default-export",

crates/biome_configuration/src/analyzer/linter/rules.rs

@@ -3,6 +3,7 @@
 //! Generated file, do not edit by hand, see `xtask/codegen`
 
 use biome_analyze::declare_lint_group;
+pub mod no_script_url;
 pub mod no_sync_scripts;
 pub mod no_vue_v_if_with_v_for;
 pub mod use_vue_hyphenated_attributes;
@@ -13,4 +14,4 @@ pub mod use_vue_valid_v_html;
 pub mod use_vue_valid_v_if;
 pub mod use_vue_valid_v_on;
 pub mod use_vue_valid_v_text;
-declare_lint_group! { pub Nursery { name : "nursery" , rules : [self :: no_sync_scripts :: NoSyncScripts , self :: no_vue_v_if_with_v_for :: NoVueVIfWithVFor , self :: use_vue_hyphenated_attributes :: UseVueHyphenatedAttributes , self :: use_vue_valid_v_bind :: UseVueValidVBind , self :: use_vue_valid_v_else :: UseVueValidVElse , self :: use_vue_valid_v_else_if :: UseVueValidVElseIf , self :: use_vue_valid_v_html :: UseVueValidVHtml , self :: use_vue_valid_v_if :: UseVueValidVIf , self :: use_vue_valid_v_on :: UseVueValidVOn , self :: use_vue_valid_v_text :: UseVueValidVText ,] } }
+declare_lint_group! { pub Nursery { name : "nursery" , rules : [self :: no_script_url :: NoScriptUrl , self :: no_sync_scripts :: NoSyncScripts , self :: no_vue_v_if_with_v_for :: NoVueVIfWithVFor , self :: use_vue_hyphenated_attributes :: UseVueHyphenatedAttributes , self :: use_vue_valid_v_bind :: UseVueValidVBind , self :: use_vue_valid_v_else :: UseVueValidVElse , self :: use_vue_valid_v_else_if :: UseVueValidVElseIf , self :: use_vue_valid_v_html :: UseVueValidVHtml , self :: use_vue_valid_v_if :: UseVueValidVIf , self :: use_vue_valid_v_on :: UseVueValidVOn , self :: use_vue_valid_v_text :: UseVueValidVText ,] } }

crates/biome_diagnostics_categories/src/categories.rs

@@ -0,0 +1,106 @@
+use biome_analyze::{
+    Ast, Rule, RuleDiagnostic, RuleSource, context::RuleContext, declare_lint_rule,
+};
+use biome_console::markup;
+use biome_diagnostics::Severity;
+use biome_html_syntax::{AnyHtmlAttributeInitializer, HtmlOpeningElement, inner_string_text};
+use biome_rowan::{AstNode, TextRange};
+use biome_rule_options::no_script_url::NoScriptUrlOptions;
+use biome_string_case::StrOnlyExtension;
+
+declare_lint_rule! {
+    /// Disallow `javascript:` URLs in HTML.
+    ///
+    /// Using `javascript:` URLs is considered a form of `eval` and can be a security risk.
+    /// These URLs can execute arbitrary JavaScript code, which can lead to cross-site scripting (XSS) vulnerabilities.
+    ///
+    /// ## Examples
+    ///
+    /// ### Invalid
+    ///
+    /// ```html,expect_diagnostic
+    /// <a href="javascript:void(0)">Click me</a>
+    /// ```
+    ///
+    /// ```html,expect_diagnostic
+    /// <a href="javascript:alert('XSS')">Click me</a>
+    /// ```
+    ///
+    /// ### Valid
+    ///
+    /// ```html
+    /// <a href="https://example.com">Click me</a>
+    /// <a href="/path/to/page">Click me</a>
+    /// <a href="#section">Click me</a>
+    /// <span href="javascript:void(0)">Not a real href</span>
+    /// ```
+    ///
+    pub NoScriptUrl {
+        version: "next",
+        name: "noScriptUrl",
+        language: "html",
+        // Show equivalents from related ecosystems
+        sources: &[
+            RuleSource::Eslint("no-script-url").same(),
+            RuleSource::EslintReact("jsx-no-script-url").same(),
+            RuleSource::EslintQwik("jsx-no-script-url").same(),
+            RuleSource::EslintSolid("jsx-no-script-url").same(),
+            RuleSource::EslintReactXyz("dom-no-script-url").same(),
+        ],
+        recommended: true,
+        severity: Severity::Error,
+    }
+}
+
+impl Rule for NoScriptUrl {
+    type Query = Ast<HtmlOpeningElement>;
+    type State = TextRange;
+    type Signals = Option<Self::State>;
+    type Options = NoScriptUrlOptions;
+
+    fn run(ctx: &RuleContext<Self>) -> Option<Self::State> {
+        let element = ctx.query();
+
+        // Only check <a> elements for HTML (unlike JSX where components/custom elements exist)
+        let name = element.name().ok()?;
+        let token = name.value_token().ok()?;
+        let tag = token.text_trimmed();
+        if !tag.eq_ignore_ascii_case("a") {
+            return None;
+        }
+
+        let attrs = element.attributes();
+        let attr = attrs.find_by_name("href")?;
+        let initializer = attr.initializer()?;
+        let value = initializer.value().ok()?;
+
+        if let AnyHtmlAttributeInitializer::HtmlString(html_string) = value
+            && let Ok(token) = html_string.value_token()
+        {
+            let inner = inner_string_text(&token);
+            if inner.trim().to_lowercase_cow().starts_with("javascript:") {
+                return Some(initializer.range());
+            }
+        }
+
+        None
+    }
+
+    fn diagnostic(_ctx: &RuleContext<Self>, range: &Self::State) -> Option<RuleDiagnostic> {
+        Some(
+            RuleDiagnostic::new(
+                rule_category!(),
+                *range,
+                markup! {
+                    "Avoid using "<Emphasis>"javascript:"</Emphasis>" URLs, as they can be a security risk."
+                },
+            )
+            .note(markup! {
+                "Using "<Emphasis>"javascript:"</Emphasis>" URLs can lead to security vulnerabilities such as cross-site scripting (XSS)."
+            })
+            .note(markup! {
+                "Consider using regular URLs, or if you need to handle click events, use event handlers instead."
+            }),
+        )
+    }
+}

crates/biome_html_analyze/src/lint/nursery.rs

@@ -13,8 +13,8 @@ use camino::Utf8Path;
 use std::ops::Deref;
 use std::{fs::read_to_string, slice};
 
-tests_macros::gen_tests! {"tests/specs/**/*.{html,vue,json,jsonc}", crate::run_test, "module"}
-tests_macros::gen_tests! {"tests/suppression/**/*.{html,vue,json,jsonc}", crate::run_suppression_test, "module"}
+tests_macros::gen_tests! {"tests/specs/**/*.{html,vue,astro,svelte,json,jsonc}", crate::run_test, "module"}
+tests_macros::gen_tests! {"tests/suppression/**/*.{html,vue,astro,svelte,json,jsonc}", crate::run_suppression_test, "module"}
 
 fn run_test(input: &'static str, _: &str, _: &str, _: &str) {
     register_leak_checker();

crates/biome_html_analyze/src/lint/nursery/no_script_url.rs

@@ -0,0 +1,7 @@
+---
+// Astro invalid cases - should trigger the rule
+---
+
+<a href="javascript:void(0)">Void</a>
+<a href=" javascript:prompt('XSS') ">Prompt</a>
+<a href="JAVASCRIPT:doSomething()">Uppercase</a>

crates/biome_html_analyze/tests/spec_tests.rs

@@ -0,0 +1,71 @@
+---
+source: crates/biome_html_analyze/tests/spec_tests.rs
+expression: invalid.astro
+---
+# Input
+```html
+---
+// Astro invalid cases - should trigger the rule
+---
+
+<a href="javascript:void(0)">Void</a>
+<a href=" javascript:prompt('XSS') ">Prompt</a>
+<a href="JAVASCRIPT:doSomething()">Uppercase</a>
+
+```
+
+# Diagnostics
+```
+invalid.astro:5:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  × Avoid using javascript: URLs, as they can be a security risk.
+  
+    3 │ ---
+    4 │ 
+  > 5 │ <a href="javascript:void(0)">Void</a>
+      │        ^^^^^^^^^^^^^^^^^^^^^
+    6 │ <a href=" javascript:prompt('XSS') ">Prompt</a>
+    7 │ <a href="JAVASCRIPT:doSomething()">Uppercase</a>
+  
+  i Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
+  
+  i Consider using regular URLs, or if you need to handle click events, use event handlers instead.
+  
+
+```
+
+```
+invalid.astro:6:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  × Avoid using javascript: URLs, as they can be a security risk.
+  
+    5 │ <a href="javascript:void(0)">Void</a>
+  > 6 │ <a href=" javascript:prompt('XSS') ">Prompt</a>
+      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+    7 │ <a href="JAVASCRIPT:doSomething()">Uppercase</a>
+    8 │ 
+  
+  i Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
+  
+  i Consider using regular URLs, or if you need to handle click events, use event handlers instead.
+  
+
+```
+
+```
+invalid.astro:7:8 lint/nursery/noScriptUrl ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  × Avoid using javascript: URLs, as they can be a security risk.
+  
+    5 │ <a href="javascript:void(0)">Void</a>
+    6 │ <a href=" javascript:prompt('XSS') ">Prompt</a>
+  > 7 │ <a href="JAVASCRIPT:doSomething()">Uppercase</a>
+      │        ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+    8 │ 
+  
+  i Using javascript: URLs can lead to security vulnerabilities such as cross-site scripting (XSS).
+  
+  i Consider using regular URLs, or if you need to handle click events, use event handlers instead.
+  
+
+```

crates/biome_html_analyze/tests/specs/nursery/noScriptUrl/invalid.astro

@@ -0,0 +1,9 @@
+<!-- Invalid cases - should trigger the rule -->
+
+<a href="javascript:void(0)">Link</a>
+
+<a href="javascript:alert('XSS')">Link</a>
+
+<a href=" javascript:void(0)">Link</a>
+
+<a href="JAVASCRIPT:void(0)">Link</a>