From b053266675d25313886b50315bd7f79f1b40055b Mon Sep 17 00:00:00 2001
From: Naoki Ikeguchi <me@s6n.jp>
Date: Tue, 10 Mar 2026 23:25:36 +0900
Subject: [PATCH 1/2] fix(lint/noBlankTarget): still report when the href
 attribute is dynamic

---
 .../src/lint/security/no_blank_target.rs      |  5 +-
 .../specs/security/noBlankTarget/invalid.jsx  |  1 +
 .../security/noBlankTarget/invalid.jsx.snap   | 71 +++++++++++++++----
 .../specs/security/noBlankTarget/valid.jsx    |  1 +
 .../security/noBlankTarget/valid.jsx.snap     |  1 +
 5 files changed, 63 insertions(+), 16 deletions(-)

diff --git a/crates/biome_js_analyze/src/lint/security/no_blank_target.rs b/crates/biome_js_analyze/src/lint/security/no_blank_target.rs
index 29662898d8d7..f0981b38affe 100644
--- a/crates/biome_js_analyze/src/lint/security/no_blank_target.rs
+++ b/crates/biome_js_analyze/src/lint/security/no_blank_target.rs
@@ -160,14 +160,15 @@ impl Rule for NoBlankTarget {
                     .then(|| node.find_attribute_by_name(attr_name))
                     .flatten()
             })?;
-        let href = href.as_static_value()?;
 
         let target_attribute = node.find_attribute_by_name("target")?;
         if target_attribute.as_static_value()?.text() != "_blank" {
             return None;
         }
 
-        if !ctx.options().allow_domains.is_empty() {
+        if let Some(href) = href.as_static_value()
+            && !ctx.options().allow_domains.is_empty()
+        {
             let allow_domains: Vec<&str> = ctx
                 .options()
                 .allow_domains
diff --git a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx
index a14181870b89..4ac9cfdd390f 100644
--- a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx
+++ b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx
@@ -10,6 +10,7 @@
     <a target="_blank" href="//example.com/17" rel></a>
     <a target="_blank" href={dynamicLink}></a>
     <a target={'_blank'} href="//example.com/18"></a>
+    <a href={company?.website} target="_blank"></a>
     <area target="_blank" href="https://example.com"></area>
     <form target="_blank" action="https://example.com"></form>
 </>
diff --git a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx.snap b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx.snap
index b4ce17b204d9..20e4f3c1f482 100644
--- a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx.snap
+++ b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/invalid.jsx.snap
@@ -16,6 +16,7 @@ expression: invalid.jsx
     <a target="_blank" href="//example.com/17" rel></a>
     <a target="_blank" href={dynamicLink}></a>
     <a target={'_blank'} href="//example.com/18"></a>
+    <a href={company?.website} target="_blank"></a>
     <area target="_blank" href="https://example.com"></area>
     <form target="_blank" action="https://example.com"></form>
 </>
@@ -191,6 +192,27 @@ invalid.jsx:10:8 lint/security/noBlankTarget ━━━━━━━━━━━
 
 ```
 
+```
+invalid.jsx:11:8 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  × Avoid using target="_blank" without rel="noopener" or rel="noreferrer".
+  
+     9 │     <a target="_blank" href="//example.com/14" rel={"noopenernoreferrer"}></a>
+    10 │     <a target="_blank" href="//example.com/17" rel></a>
+  > 11 │     <a target="_blank" href={dynamicLink}></a>
+       │        ^^^^^^^^^^^^^^^
+    12 │     <a target={'_blank'} href="//example.com/18"></a>
+    13 │     <a href={company?.website} target="_blank"></a>
+  
+  i Opening external links in new tabs without rel="noopener" is a security risk. See the explanation for more details.
+  
+  i Safe fix: Add the rel="noopener" attribute.
+  
+    11 │ ····<a·target="_blank"·href={dynamicLink}·rel="noopener"></a>
+       │                                          +++++++++++++++     
+
+```
+
 ```
 invalid.jsx:12:8 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
@@ -200,8 +222,8 @@ invalid.jsx:12:8 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━
     11 │     <a target="_blank" href={dynamicLink}></a>
   > 12 │     <a target={'_blank'} href="//example.com/18"></a>
        │        ^^^^^^^^^^^^^^^^^
-    13 │     <area target="_blank" href="https://example.com"></area>
-    14 │     <form target="_blank" action="https://example.com"></form>
+    13 │     <a href={company?.website} target="_blank"></a>
+    14 │     <area target="_blank" href="https://example.com"></area>
   
   i Opening external links in new tabs without rel="noopener" is a security risk. See the explanation for more details.
   
@@ -213,23 +235,23 @@ invalid.jsx:12:8 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━
 ```
 
 ```
-invalid.jsx:13:11 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+invalid.jsx:13:32 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
   × Avoid using target="_blank" without rel="noopener" or rel="noreferrer".
   
     11 │     <a target="_blank" href={dynamicLink}></a>
     12 │     <a target={'_blank'} href="//example.com/18"></a>
-  > 13 │     <area target="_blank" href="https://example.com"></area>
-       │           ^^^^^^^^^^^^^^^
-    14 │     <form target="_blank" action="https://example.com"></form>
-    15 │ </>
+  > 13 │     <a href={company?.website} target="_blank"></a>
+       │                                ^^^^^^^^^^^^^^^
+    14 │     <area target="_blank" href="https://example.com"></area>
+    15 │     <form target="_blank" action="https://example.com"></form>
   
   i Opening external links in new tabs without rel="noopener" is a security risk. See the explanation for more details.
   
   i Safe fix: Add the rel="noopener" attribute.
   
-    13 │ ····<area·target="_blank"·href="https://example.com"·rel="noopener"></area>
-       │                                                     +++++++++++++++        
+    13 │ ····<a·href={company?.website}·target="_blank"·rel="noopener"></a>
+       │                                               +++++++++++++++     
 
 ```
 
@@ -239,17 +261,38 @@ invalid.jsx:14:11 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━
   × Avoid using target="_blank" without rel="noopener" or rel="noreferrer".
   
     12 │     <a target={'_blank'} href="//example.com/18"></a>
-    13 │     <area target="_blank" href="https://example.com"></area>
-  > 14 │     <form target="_blank" action="https://example.com"></form>
+    13 │     <a href={company?.website} target="_blank"></a>
+  > 14 │     <area target="_blank" href="https://example.com"></area>
+       │           ^^^^^^^^^^^^^^^
+    15 │     <form target="_blank" action="https://example.com"></form>
+    16 │ </>
+  
+  i Opening external links in new tabs without rel="noopener" is a security risk. See the explanation for more details.
+  
+  i Safe fix: Add the rel="noopener" attribute.
+  
+    14 │ ····<area·target="_blank"·href="https://example.com"·rel="noopener"></area>
+       │                                                     +++++++++++++++        
+
+```
+
+```
+invalid.jsx:15:11 lint/security/noBlankTarget  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  × Avoid using target="_blank" without rel="noopener" or rel="noreferrer".
+  
+    13 │     <a href={company?.website} target="_blank"></a>
+    14 │     <area target="_blank" href="https://example.com"></area>
+  > 15 │     <form target="_blank" action="https://example.com"></form>
        │           ^^^^^^^^^^^^^^^
-    15 │ </>
-    16 │ 
+    16 │ </>
+    17 │ 
   
   i Opening external links in new tabs without rel="noopener" is a security risk. See the explanation for more details.
   
   i Safe fix: Add the rel="noopener" attribute.
   
-    14 │ ····<form·target="_blank"·action="https://example.com"·rel="noopener"></form>
+    15 │ ····<form·target="_blank"·action="https://example.com"·rel="noopener"></form>
        │                                                       +++++++++++++++        
 
 ```
diff --git a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx
index a75ed11f7e21..6c86349baf63 100644
--- a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx
+++ b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx
@@ -32,6 +32,7 @@
     <a target={'targetValue'} href="/absolute/path"></a>
     <a target={"targetValue"} href="/absolute/path"></a>
     <a target={null} href="//example.com"></a>
+    <a href={company?.website} target="_blank" rel="noreferrer"></a>
     <area target="_blank" rel="noopener" href="https://example.com"></area>
     <form target="_blank" rel="noopener" action="https://example.com"></form>
     <Link href="foobar" target="_blank" />
diff --git a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx.snap b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx.snap
index bcbf38272381..f2aabaa33020 100644
--- a/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx.snap
+++ b/crates/biome_js_analyze/tests/specs/security/noBlankTarget/valid.jsx.snap
@@ -38,6 +38,7 @@ expression: valid.jsx
     <a target={'targetValue'} href="/absolute/path"></a>
     <a target={"targetValue"} href="/absolute/path"></a>
     <a target={null} href="//example.com"></a>
+    <a href={company?.website} target="_blank" rel="noreferrer"></a>
     <area target="_blank" rel="noopener" href="https://example.com"></area>
     <form target="_blank" rel="noopener" action="https://example.com"></form>
     <Link href="foobar" target="_blank" />

From 035fb0525147197baf40e5336009c1e1cc8ed95a Mon Sep 17 00:00:00 2001
From: Naoki Ikeguchi <me@s6n.jp>
Date: Tue, 10 Mar 2026 23:26:29 +0900
Subject: [PATCH 2/2] chore: changeset

Co-authored-by: Claude <noreply@anthropic.com>
---
 .changeset/lovely-clouds-change.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/lovely-clouds-change.md

diff --git a/.changeset/lovely-clouds-change.md b/.changeset/lovely-clouds-change.md
new file mode 100644
index 000000000000..84893a80e446
--- /dev/null
+++ b/.changeset/lovely-clouds-change.md
@@ -0,0 +1,5 @@
+---
+"@biomejs/biome": patch
+---
+
+Fixed [#9433](https://github.com/biomejs/biome/issues/9433): [`noBlankTarget`](https://biomejs.dev/linter/rules/no-blank-target/) now correctly handles dynamic href attributes, such as `<a href={company?.website} target="_blank">`.