Disallow creating dynamic script tags (github/no-dynamic-script-tag)

February 8, 2023 ยท View on GitHub

๐Ÿ’ผ This rule is enabled in the โœ… recommended config.

Rule Details

Creating dynamic script tags bypasses a lot of security measures - like SRIs - and pose a potential threat to your application. Instead of creating a script tag in the client, provide all necessary script tags in the page's HTML.

๐Ÿ‘Ž Examples of incorrect code for this rule:

document.createElement('script')
document.getElementById('some-id').type = 'text/javascript'

๐Ÿ‘ Examples of correct code for this rule:

<!-- index.html -->
<script src="/index.js" type="text/javascript">

Version

4.3.2