Linter: Implement html-no-event-handlers and html-no-script-elements rules#1536
Linter: Implement html-no-event-handlers and html-no-script-elements rules#1536markokajzer wants to merge 2 commits intomarcoroth:mainfrom
html-no-event-handlers and html-no-script-elements rules#1536Conversation
github-actions
bot
added
documentation
markokajzer
force-pushed
the
marko/html-disallow-inline-scripts
branch
from
e037569 to
14743fe
Compare
markokajzer
changed the title
html-disallow-inline-scripts ruleerb-disallow-inline-scripts rule
markokajzer
force-pushed
the
marko/html-disallow-inline-scripts
branch
3 times, most recently
from
5cd0512 to
ab527ae
Compare
marcoroth
left a comment
marcoroth
left a comment
There was a problem hiding this comment.
Thanks for working on this @markokajzer!
I think we want to keep the two rules separate so that the erb-no-javascript-tag-helper rule is strictly about avoid the javascript_tag Action View helper (should probably be renamed to actionview-no-javascript-tag-helper later).
And this rule should probably be just about inline script handler, for catching all the on* attributes. Both on the regular HTML element and on the ActionView tag helpers, like <%= tag.button onclick: "alert('hello')" %>. And we probably want to rename the rule to have a html-* prefix.
And then finally, we probably also want a third independent one that catches inline <script> HTML elements, either in the body or head.
markokajzer
force-pushed
the
marko/html-disallow-inline-scripts
branch
from
ab527ae to
8abbcf4
Compare
markokajzer
changed the title
erb-disallow-inline-scripts rulehtml-no-event-handlers and html-no-script-elements rules
|
changes:
i can separate into two PRs 👍 gonna leave the rename to #1359, so noop for now |
markokajzer
force-pushed
the
marko/html-disallow-inline-scripts
branch
from
8abbcf4 to
9ccc034
Compare
2 participants
closes #161
Rule:
html-no-event-handlersDescription
Disallow the use of inline JavaScript event handler attributes (e.g.
onclick,onload) in HTML templates.Rationale
Inline JavaScript poses a significant security risk and is incompatible with strict Content Security Policy (CSP) configurations (
script-src 'self').All JavaScript should be included via external assets to support strong CSP policies that prevent cross-site scripting (XSS) attacks.
This rule enforces:
onclick,onmouseover, etc.) on HTML elements.<%= tag.button onclick: "..." %>).Rule:
html-no-script-elementsDescription
Disallow the use of inline
<script>tags in HTML templates.Rationale
Inline JavaScript poses a significant security risk and is incompatible with strict Content Security Policy (CSP) configurations (
script-src 'self').All JavaScript should be included via external assets to support strong CSP policies that prevent cross-site scripting (XSS) attacks.
This rule enforces:
<script>tags embedded directly in templates.