Specify a blacklist of disallowed URL schemes.
a { background-image: url('http://www.example.com/file.jpg'); }
/** ↑
* This URL scheme */
A URL scheme consists of alphanumeric, +
, -
, and .
characters. It can appear at the start of a URL and is followed by :
.
This rule ignores:
- URL arguments without an existing URL scheme
- URL arguments with variables or variable interpolation (
$sass
,@less
,--custom-property
,#{$var}
,@{var}
,$(var)
)
array|string|regex
: ["array", "of", "schemes" or "regex"]|"scheme"|/regex/
Given:
["ftp", "/^http/"]
The following patterns are considered violations:
a { background-image: url('ftp://www.example.com/file.jpg'); }
a { background-image: url('http://www.example.com/file.jpg'); }
a { background-image: url('https://www.example.com/file.jpg'); }
The following patterns are not considered violations:
a { background-image: url('data:image/gif;base64,R0lGODlhAQABAIAAAAUEBAAAACwAAAAAAQABAAACAkQBADs='); }
a { background-image: url('example.com/file.jpg'); }
a { background-image: url('/example.com/file.jpg'); }
a { background-image: url('//example.com/file.jpg'); }
a { background-image: url('./path/to/file.jpg'); }