Try @eslint-react/kit@beta
logoESLint React
Rules

no-unsafe-iframe-sandbox

Enforces that the 'sandbox' attribute for 'iframe' elements is not set to unsafe combinations.

Full Name in eslint-plugin-react-dom

react-dom/no-unsafe-iframe-sandbox

Full Name in @eslint-react/eslint-plugin

@eslint-react/dom-no-unsafe-iframe-sandbox

Presets

strict strict-typescript strict-type-checked

Rule Details

This rule reports cases where the attribute contains allow-scripts and allow-same-origin at the same time, as this combination allows the embedded document to remove the sandbox attribute and bypass the restrictions.

Examples

Sandboxing third-party content in an iframe

function MyComponent() {
  return (
    // Problem: allow-scripts together with allow-same-origin lets the embedded
    // document escape the sandbox by removing the attribute via JavaScript
    <iframe
      src="https://eslint-react.xyz"
      sandbox="allow-scripts allow-same-origin"
    />
  );
}
function MyComponent() {
  // Recommended: Use a safer sandbox value that does not combine both flags
  return <iframe src="https://eslint-react.xyz" sandbox="allow-popups" />;
}

Restrictive sandboxing for untrusted content

When embedding untrusted third-party content, use a restrictive sandbox attribute that limits the embedded document's capabilities without allowing script execution combined with same-origin access.

// Recommended: Use restrictive sandbox values for untrusted content
function MyComponent() {
  return (
    <iframe
      src="https://example.com"
      sandbox="allow-popups allow-popups-to-escape-sandbox"
    />
  );
}

Versions

Resources

Further Reading

See Also

no-unknown-property

Disallows unknown 'DOM' properties.

no-unsafe-target-blank

Disallows 'target="_blank"' without 'rel="noreferrer noopener"'.

On this page

Rule DetailsExamplesSandboxing third-party content in an iframeRestrictive sandboxing for untrusted contentVersionsChangedFixedAddedResourcesFurther ReadingSee Also