no-script-url: add option to allow `javascript:void(0)`

What rule do you want to change?

no-script-url

Does this change cause the rule to produce more or fewer warnings?

Fewer, if option is enabled

How will the change be implemented? (New option, new default behavior, etc.)?

New option: allowVoidZero

Please provide some example code that this change will affect:

// valid with the option enabled
<form action="javascript:void(0)" onSubmit={() => doSomething()}>
</form>

// still invalid with the option enabled
<a href="javascript:alert('hello')">eval link</a>

What does the rule currently do for this code?

Currently, javascript:void(0) strings are flagged as invalid code because it is indeed technically a form of eval.

What will the rule do after it’s changed?

With the option enabled, the javascript:void(0) string (but no other javascript:-prefixed string) would be treated as an idiomatic “no-op” that it is, commonly used for things like forms and links.

Of note: for links people often use #, but it still requires to do event.preventDefault() to avoid address bar change. For forms, # definitely requires event.preventDefault() because otherwise form contents are appended directly to the URL. No-op URLs help skip that boilerplate a bit and are fairly resilient.

Happy to work on a PR if this makes sense to the maintainers! Thanks, by the way, for your hard work on the project.