jsx-target-no-blank should warn when using JSX spread attributes

[michael-yx-wu]

At the moment, something like this would not trigger a warning:

<a {...otherProps} target="_blank" />

Since the rule can't verify whether this will compile to have an href that points to an external url, wouldn't it be safer to warn the user? If they are sure that this will never compile to be an external link, they can explicitly disable the rule for this line.

[ljharb]

What happens when you enable the enforceDynamicLinks option?

[michael-yx-wu]

It still doesn't warn, unfortunately. Maybe because the spread isn't considered an attribute and even if it were, hasDynamicLink's check for attribute === "href" (or some other user-specified attribute type) would fail.

[ljharb]

I think it's reasonable to either enhance enforceDynamicLinks to warn on a missing "href" when something's spread in, or, to add a new option for that behavior in case that's a breaking change.

[michael-yx-wu]

in a similar vein, what about when target is dynamic? For example:

<a href="https://some-external-url" target={someBoolValue ? "_blank" : undefined} >Maybe opens in a new tab</a>

might be unsafe depending on the value of someBoolValue.

[ljharb]

In that example, since one of the branches of the ternary is static and problematic, the rule should be able to warn as well.

[michael-yx-wu]

it's my first time contributing. @ljharb, are you the right person to review the PR?

[ljharb]

Yes, sorry for the delay - I’ll try to review it soon.

[michael-yx-wu]

@ljharb friendly ping. Let me know if there's anything I can add in the PR description to make it easier to review :)