Menu
I want to be able to do
<form action="javascript:void(0)">
or
<a href="javascript:void(0)">
to make sure nothing happens even if the handler fails to prevent the default action. How should I declare this to be allowed using the Content-Security-Policy HTTP response header without resorting to unsafe-eval?
549
html. Output: Using “javascript:void(0);” in anchor tag: Writing “javascript:void(0);” in anchor tag can prevent the page to reload and JavaScript functions can be called on single or double clicks easily. Example: html.
Combining javascript: and void(0) Using javascript: , you can run code that does not change the current page. This, used with void(0) means, do nothing - don't reload, don't navigate, do not run any code. The "Link" word is treated as a link by the browser.
JavaScript void 0 means returning undefined (void) as a primitive value. You might come across the term “JavaScript:void(0)” while going through HTML documents. It is used to prevent any side effects caused while inserting an expression in a web page.
Generally, you want to avoid href="javascript:void(0)" , as it will cause the browser to parse the value of the link URL, which is both costly and unnecessary. It also introduces a potential XSS security vulnerability, as javascript: URLs violate Content Security Policy (CSP).
I've recently applied CSP policy to a huge VUE project, by adding meta headers to index.html.
Google Chrome would print a warning about javascript: links, but nothing else happens apart from that.
What I did is simply remove the href="javascript: attribute, and added a style to maintain the cursor style:
a:hover {
cursor: pointer;
}
And it worked great for me.
P.S I also replaced several <a> with <button> tag, and <button> does not require a href attribute.
83
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
