Frontend safety

safe-external-links

Require `rel="noopener noreferrer"` on `<a target="_blank">`.

Without the rel guard, an `<a target="_blank">` link leaks the opener and enables reverse-tabnabbing — the destination page can rewrite the original tab to a phishing page. Auto-fixed when missing entirely.

Behavior

Fixable: Yes — inserts `rel="noopener noreferrer"` when missing.
Suggestions: No.

Examples

Bad:

<a href="https://x.com" target="_blank">x</a>

Good:

<a href="https://x.com" target="_blank" rel="noopener noreferrer">x</a>

Related rules

no-dangerous-htmlFlag `dangerouslySetInnerHTML` — the canonical XSS path on user-supplied input.
iframe-sandboxRequire a `sandbox` attribute on `<iframe>` to constrain embedded content.
aria-validationForbid invalid ARIA roles and unknown aria-* attributes.

Use it

Enable safe-external-links in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/safe-external-links': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules