Disallow an <a> tag with JavaScript protocol in href

Rules and Languages New rules / language support
, ,
1

BurpSuite is flagging some of our files as the JSPs include lines like:
<a href="javascript:;"… or <a href="javascript:void(0);"
This code is bad practice (inline JavaScript), bad for SEO and acessibility and generally should be dealt with either with a button or by having JavaScript in an external file.

Non-compliant code: <a href="javascript:;">...</a>
Compliant code: <button href="javascript:;">...</buttpn>

Reference: <a>: The Anchor element - HTML: HyperText Markup Language | MDN

Anchor elements are often abused as fake buttons by setting their href to # or javascript:void(0) to prevent the page from refreshing, then listening for their click events .

These bogus href values cause unexpected behavior when copying/dragging links, opening links in a new tab/window, bookmarking, or when JavaScript is loading, errors, or is disabled. They also convey incorrect semantics to assistive technologies, like screen readers.

Use a <button> instead. In general, you should only use a hyperlink for navigation to a real URL .

2

This code definitely does not conform to HTML, since the href attribute is not valid on the button element. What you need instead of href is an event listener on the button.

Code such as <a href="javascript:;">… or <a href="#">...</a> suggest that a fake link has been repurposed as a button. This has two downsides for accessibility:

  1. Screen readers won’t announce it as a button but as a link, even though activating the “link” does not take you to a new destination.
  2. A real button can be activated with both Enter and Space, but the above type of fake button tends to respond only to Enter, just like an ordinary link.