Which href value should I use for empty JavaScript links, "#" or "javascript:void(0)"?

Matthew C.

The Problem

You want to create an empty link. Which href value should you use: "", "#", or "javascript:void(0)"?

The Solution

Links are used to take a user to a new location, like a new web page or a different section of the current page. You should avoid using empty links, but you may want to use an empty link during development so that you can see what the link will look like but you don’t yet know what the href value will be.

It’s best to avoid javascript: URLs, as these can expose your website to cross-site scripting (XSS) attacks. Inline code like javascript: URLS may be blocked by your content security policy(csp) to reduce XSS vulnerabilities, so while the "javascript:void(0)" URL is not vulnerable to XSS attacks, a dynamic href value that can use a javascript: URL will be vulnerable.

If you use a link in a React app that has an href value of "javascript:void(0)", you’ll get the following warning in your browser dev tools:

Warning: A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML try using dangerouslySetInnerHTML instead. React was passed "javascript:void(0)".

React gives a warning for all javascript: URLs used as a security precaution.

Setting the href value of the link to "" or "#" is a better alternative. An href value of "" will refresh the current page; an href value of "#" will navigate to the top of the page and "#" will be added to the URL.

Get Started With Sentry

Get actionable, code-level insights to resolve JavaScript performance bottlenecks and errors.

  1. Create a free Sentry account

  2. Create a JavaScript project and note your DSN

  3. Grab the Sentry JavaScript SDK

<script src="https://browser.sentry-cdn.com/7.104.0/bundle.min.js"></script>
  1. Configure your DSN
Sentry.init({ dsn: 'https://<key>@sentry.io/<project>' });

Check our documentation for the latest instructions.

Loved by over 4 million developers and more than 90,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.

Share on Twitter
Bookmark this page
Ask a questionJoin the discussion

Related Answers

A better experience for your users. An easier life for your developers.

© 2024 • Sentry is a registered Trademark
of Functional Software, Inc.