astro/no-unsafe-inline-scripts
disallow inline
<script>withoutsrcto encourage CSP-safe patterns
📖 Rule Details
Inline scripts typically require script-src 'unsafe-inline' in your Content Security Policy, increasing XSS risk. Prefer external scripts (src) or safer patterns.
---
/* eslint astro/no-unsafe-inline-scripts: "error" */
---
{/* ✗ BAD */}
<button id="btn">Click</button>
<script>
console.log('inline')
</script>
{/* ✗ BAD */}
<script type="module">
console.log('inline module')
</script>
{/* ✓ GOOD */}
<script src="/assets/app.js"></script>
{/* ✓ GOOD */}
<script type="application/ld+json">
{JSON.stringify({"@context": "https://schema.org", "@type": "Thing"})}
</script>
🔧 Options
{
"astro/no-unsafe-inline-scripts": [
"warn",
{
"allowDefineVars": false,
"allowModuleScripts": false,
"allowNonExecutingTypes": ["application/ld+json", "application/json"],
"allowNonce": false
}
]
}allowDefineVars(default:false): allows inline<script define:vars={...}>. Set totrueto allow scripts withdefine:vars.allowModuleScripts(default:false): allows inline<script type="module">.allowNonExecutingTypes(default includes JSON/JSON-LD): allows non-executing types.allowNonce(default:false): allows inline scripts with anonceattribute (for CSP nonce deployments).
🔇 When Not To Use It
If your project allows inline scripts (e.g., CSP with nonces), you may disable this rule or adjust options.
📚 Further Reading
- OWASP: Cross Site Scripting (XSS) Prevention Cheat Sheet
- Astro Docs: Client-Side Scripts
- CSP Guide:
unsafe-inlineexplanation
🚀 Version
This rule was introduced in eslint-plugin-astro v1.4.0
🔍 Implementation
Edit this page
Back
← astro/no-set-html-directive Next Page
astro/no-set-text-directive →
← astro/no-set-html-directive Next Page
astro/no-set-text-directive →