Added warning in development mode when rendering link with javascript…

…:url, fixes Github #1594
infernojs · Jun 17, 2022 · 7bc3763 · 7bc3763
1 parent 8d58e6a
commit 7bc3763
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 1 deletion.
diff --git a/packages/inferno/__tests__/link.spec.tsx b/packages/inferno/__tests__/link.spec.tsx
@@ -0,0 +1,54 @@
+/* tslint:disable:no-console */
+import { render } from 'inferno';
+
+describe('Links', () => {
+  let container;
+
+  beforeEach(function () {
+    container = document.createElement('div');
+    document.body.appendChild(container);
+  });
+
+  afterEach(function () {
+    render(null, container);
+    container.innerHTML = '';
+    document.body.removeChild(container);
+  });
+
+  describe('javascript href', function () {
+    it('Should log warning when rendering link starting with javascript::', function () {
+      spyOn(console, 'error');
+
+      render(<a href="javascript:foobar">test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(1);
+      expect(console.error).toHaveBeenCalledWith(
+        'Rendering links with javascript: URLs is not recommended. Use event handlers instead if you can. Inferno was passed "javascript:foobar".'
+      );
+      expect(container.innerHTML).toEqual('<a href="javascript:foobar">test</a>');
+    });
+
+    it('Should allow patching link to null', function () {
+      spyOn(console, 'error');
+
+      render(<a href="javascript:foobar">test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(1);
+
+      render(<a>test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(1);
+
+      expect(container.innerHTML).toEqual('<a>test</a>');
+    });
+
+    it('Should not log warning when rendering regular link', function () {
+      spyOn(console, 'error');
+
+      render(<a href="https://github.com/infernojs/inferno">test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(0);
+      expect(container.innerHTML).toEqual('<a href="https://github.com/infernojs/inferno">test</a>');
+    });
+  });
+});
diff --git a/packages/inferno/src/DOM/props.ts b/packages/inferno/src/DOM/props.ts
@@ -1,6 +1,6 @@
 import type { VNode } from '../core/types';
 import { namespaces } from './constants';
-import { isNull, isNullOrUndef, isString } from 'inferno-shared';
+import { isNull, isNullOrUndef, isString, warning } from 'inferno-shared';
 import { handleSyntheticEvent, syntheticEvents } from './events/delegation';
 import { ChildFlags, VNodeFlags } from 'inferno-vnode-flags';
 import { isSameInnerHTML } from './utils/innerHTML';
@@ -159,6 +159,11 @@ export function patchProp(
         // If we end up in this path we can read property again
         dom.setAttributeNS(namespaces[prop], prop, nextValue);
       } else {
+        if (process.env.NODE_ENV !== 'production') {
+          if (prop === 'href' && isString(nextValue) && nextValue.indexOf('javascript:') === 0) {
+            warning('Rendering links with javascript: URLs is not recommended. Use event handlers instead if you can. Inferno was passed "' + nextValue + '".');
+          }
+        }
         dom.setAttribute(prop, nextValue);
       }
       break;