Will It Vibe logoWill It Vibe?
SVELTE-002Medium severity-8 points

javascript: URL in a Svelte attribute

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A javascript: URL in href or src runs script when the link or resource is activated. It is an XSS vector whenever any part of the URL is user influenced, and Svelte does not sanitize it for you.

Why it matters

A javascript: URL in href or src executes script when the link is clicked or the resource loads. If any part of the URL is built from user input, that is a cross-site scripting vector, and even a hardcoded one is a code smell that browsers and CSP increasingly block. Svelte does not sanitize attribute values for you.

How to fix it

Replace the javascript: URL with a real handler. For a link that runs code, use a <button> with on:click, or an <a> with a normal href plus on:click|preventDefault. For dynamic URLs, validate that the value starts with an allowed scheme (https, mailto, or a relative path) before assigning it, and reject javascript:, data:, and vbscript:.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks