Linter: Implement html-disallow-inline-scripts rule

Author: markokajzer

javascript/packages/linter/docs/rules/README.md

@@ -83,6 +83,7 @@ This page contains documentation for all Herb Linter rules.
 - [`html-body-only-elements`](./html-body-only-elements.md) - Require content elements inside `<body>`.
 - [`html-boolean-attributes-no-value`](./html-boolean-attributes-no-value.md) - Prevents values on boolean attributes
 - [`html-details-has-summary`](./html-details-has-summary.md) - Require `<summary>` in `<details>` elements
+- [`html-disallow-inline-scripts`](./html-disallow-inline-scripts.md) - Disallow inline `<script>` tags and event handler attributes
 - [`html-head-only-elements`](./html-head-only-elements.md) - Require head-scoped elements inside `<head>`.
 - [`html-iframe-has-title`](./html-iframe-has-title.md) - `iframe` elements must have a `title` attribute
 - [`html-img-require-alt`](./html-img-require-alt.md) - Requires `alt` attributes on `<img>` tags
@@ -99,11 +100,11 @@ This page contains documentation for all Herb Linter rules.
 - [`html-no-nested-links`](./html-no-nested-links.md) - Prevents nested anchor tags
 - [`html-no-positive-tab-index`](./html-no-positive-tab-index.md) - Avoid positive `tabindex` values
 - [`html-no-self-closing`](./html-no-self-closing.md) - Disallow self closing tags
-- [`html-no-unescaped-entities`](./html-no-unescaped-entities.md) - Disallow unescaped HTML entities
-- [`html-no-unknown-tag`](./html-no-unknown-tag.md) - Disallow unknown HTML tags
 - [`html-no-space-in-tag`](./html-no-space-in-tag.md) - Disallow spaces in HTML tags
 - [`html-no-title-attribute`](./html-no-title-attribute.md) - Avoid using the `title` attribute
 - [`html-no-underscores-in-attribute-names`](./html-no-underscores-in-attribute-names.md) - Disallow underscores in HTML attribute names
+- [`html-no-unescaped-entities`](./html-no-unescaped-entities.md) - Disallow unescaped HTML entities
+- [`html-no-unknown-tag`](./html-no-unknown-tag.md) - Disallow unknown HTML tags
 - [`html-require-script-nonce`](./html-require-script-nonce.md) - Require `nonce` attribute on script tags and helpers
 - [`html-tag-name-lowercase`](./html-tag-name-lowercase.md) - Enforces lowercase tag names in HTML
 

javascript/packages/linter/docs/rules/html-disallow-inline-scripts.md

@@ -0,0 +1,85 @@
+# Linter Rule: Disallow inline script tags and event handler attributes
+
+**Rule:** `html-disallow-inline-scripts`
+
+## Description
+
+Disallow the use of inline `<script>` tags and inline JavaScript event handler attributes (e.g. `onclick`, `onload`) in HTML templates.
+
+## Rationale
+
+Inline JavaScript poses a significant security risk and is incompatible with strict Content Security Policy (CSP) configurations (`script-src 'self'`).
+
+All JavaScript should be included via external assets to support strong CSP policies that prevent cross-site scripting (XSS) attacks.
+
+This rule enforces:
+
+- No `<script>` tags embedded directly in templates.
+- No event handler attributes (`onclick`, `onmouseover`, etc.).
+
+## Examples
+
+### ✅ Good
+
+```erb
+<%= javascript_include_tag "application" %>
+```
+
+```erb
+<button type="submit" class="btn">Submit</button>
+```
+
+```erb
+<div data-controller="hello" data-action="click->hello#greet">
+  Content
+</div>
+```
+
+```erb
+<script type="application/json">
+  {"key": "value"}
+</script>
+```
+
+```erb
+<script type="application/ld+json">
+  {"@context": "https://schema.org"}
+</script>
+```
+
+### 🚫 Bad
+
+```erb
+<script>
+  alert("Hello, world!")
+</script>
+```
+
+```erb
+<script type="text/javascript">
+  console.log("Hello")
+</script>
+```
+
+```erb
+<button onclick="doSomething()">Click</button>
+```
+
+```erb
+<body onload="init()"></body>
+```
+
+```erb
+<div onmouseover="highlight()">Hover me</div>
+```
+
+```erb
+<form onsubmit="validate()"></form>
+```
+
+## References
+
+- Inspired by [@pushcx](https://bsky.app/profile/push.cx/post/3lsfddauapk2o)
+- [MDN: Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+- [wooorm/html-event-attributes](https://github.com/wooorm/html-event-attributes)
+- [GeeksforGeeks: HTML Event Attributes](https://www.geeksforgeeks.org/html/html-event-attributes/)

javascript/packages/linter/src/rules.ts

@@ -67,6 +67,7 @@ import { HTMLAvoidBothDisabledAndAriaDisabledRule } from "./rules/html-avoid-bot
 import { HTMLBodyOnlyElementsRule } from "./rules/html-body-only-elements.js"
 import { HTMLBooleanAttributesNoValueRule } from "./rules/html-boolean-attributes-no-value.js"
 import { HTMLDetailsHasSummaryRule } from "./rules/html-details-has-summary.js"
+import { HTMLDisallowInlineScriptsRule } from "./rules/html-disallow-inline-scripts.js"
 import { HTMLHeadOnlyElementsRule } from "./rules/html-head-only-elements.js"
 import { HTMLIframeHasTitleRule } from "./rules/html-iframe-has-title.js"
 import { HTMLImgRequireAltRule } from "./rules/html-img-require-alt.js"
@@ -84,11 +85,11 @@ import { HTMLNoEmptyHeadingsRule } from "./rules/html-no-empty-headings.js"
 import { HTMLNoNestedLinksRule } from "./rules/html-no-nested-links.js"
 import { HTMLNoPositiveTabIndexRule } from "./rules/html-no-positive-tab-index.js"
 import { HTMLNoSelfClosingRule } from "./rules/html-no-self-closing.js"
-import { HTMLNoUnescapedEntitiesRule } from "./rules/html-no-unescaped-entities.js"
-import { HTMLNoUnknownTagRule } from "./rules/html-no-unknown-tag.js"
 import { HTMLNoSpaceInTagRule } from "./rules/html-no-space-in-tag.js"
 import { HTMLNoTitleAttributeRule } from "./rules/html-no-title-attribute.js"
 import { HTMLNoUnderscoresInAttributeNamesRule } from "./rules/html-no-underscores-in-attribute-names.js"
+import { HTMLNoUnescapedEntitiesRule } from "./rules/html-no-unescaped-entities.js"
+import { HTMLNoUnknownTagRule } from "./rules/html-no-unknown-tag.js"
 import { HTMLRequireClosingTagsRule } from "./rules/html-require-closing-tags.js"
 import { HTMLRequireScriptNonceRule } from "./rules/html-require-script-nonce.js"
 import { HTMLTagNameLowercaseRule } from "./rules/html-tag-name-lowercase.js"
@@ -169,6 +170,7 @@ export const rules: RuleClass[] = [
   HTMLBodyOnlyElementsRule,
   HTMLBooleanAttributesNoValueRule,
   HTMLDetailsHasSummaryRule,
+  HTMLDisallowInlineScriptsRule,
   HTMLHeadOnlyElementsRule,
   HTMLIframeHasTitleRule,
   HTMLImgRequireAltRule,
@@ -186,11 +188,11 @@ export const rules: RuleClass[] = [
   HTMLNoNestedLinksRule,
   HTMLNoPositiveTabIndexRule,
   HTMLNoSelfClosingRule,
-  HTMLNoUnescapedEntitiesRule,
-  HTMLNoUnknownTagRule,
   HTMLNoSpaceInTagRule,
   HTMLNoTitleAttributeRule,
   HTMLNoUnderscoresInAttributeNamesRule,
+  HTMLNoUnescapedEntitiesRule,
+  HTMLNoUnknownTagRule,
   HTMLRequireClosingTagsRule,
   HTMLRequireScriptNonceRule,
   HTMLTagNameLowercaseRule,

javascript/packages/linter/src/rules/html-disallow-inline-scripts.ts

@@ -0,0 +1,165 @@
+import { ParserRule } from "../types.js"
+import { BaseRuleVisitor, isJavaScriptTagElement } from "./rule-utils.js"
+import { getTagLocalName, getAttributeName } from "@herb-tools/core"
+
+import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
+import type { ParseResult, HTMLElementNode, HTMLAttributeNode } from "@herb-tools/core"
+
+const HTML_EVENT_ATTRIBUTES = new Set([
+  // Window Event Attributes
+  "onafterprint",
+  "onbeforeprint",
+  "onbeforeunload",
+  "onerror",
+  "onhashchange",
+  "onlanguagechange",
+  "onload",
+  "onmessage",
+  "onmessageerror",
+  "onoffline",
+  "ononline",
+  "onpagehide",
+  "onpageshow",
+  "onpopstate",
+  "onrejectionhandled",
+  "onresize",
+  "onstorage",
+  "onunhandledrejection",
+  "onunload",
+
+  // Form Event Attributes
+  "onblur",
+  "onchange",
+  "onfocus",
+  "onformdata",
+  "oninput",
+  "oninvalid",
+  "onreset",
+  "onsearch",
+  "onselect",
+  "onsubmit",
+
+  // Keyboard Event Attributes
+  "onkeydown",
+  "onkeypress",
+  "onkeyup",
+
+  // Mouse Event Attributes
+  "onauxclick",
+  "onclick",
+  "oncontextmenu",
+  "ondblclick",
+  "onmousedown",
+  "onmouseenter",
+  "onmouseleave",
+  "onmousemove",
+  "onmouseout",
+  "onmouseover",
+  "onmouseup",
+  "onwheel",
+
+  // Drag Event Attributes
+  "ondrag",
+  "ondragend",
+  "ondragenter",
+  "ondragleave",
+  "ondragover",
+  "ondragstart",
+  "ondrop",
+
+  // Clipboard Event Attributes
+  "oncopy",
+  "oncut",
+  "onpaste",
+
+  // Media Event Attributes
+  "onabort",
+  "oncanplay",
+  "oncanplaythrough",
+  "oncuechange",
+  "ondurationchange",
+  "onemptied",
+  "onended",
+  "onloadeddata",
+  "onloadedmetadata",
+  "onloadstart",
+  "onpause",
+  "onplay",
+  "onplaying",
+  "onprogress",
+  "onratechange",
+  "onseeked",
+  "onseeking",
+  "onstalled",
+  "onsuspend",
+  "ontimeupdate",
+  "onvolumechange",
+  "onwaiting",
+
+  // Scroll Event Attributes
+  "onscroll",
+  "onscrollend",
+
+  // Misc Event Attributes
+  "onbeforematch",
+  "onbeforetoggle",
+  "oncancel",
+  "onclose",
+  "oncontextlost",
+  "oncontextrestored",
+  "onsecuritypolicyviolation",
+  "onslotchange",
+  "ontoggle",
+])
+
+class HTMLDisallowInlineScriptsVisitor extends BaseRuleVisitor {
+  visitHTMLElementNode(node: HTMLElementNode): void {
+    if (getTagLocalName(node) === "script") {
+      this.checkInlineScript(node)
+    }
+
+    super.visitHTMLElementNode(node)
+  }
+
+  visitHTMLAttributeNode(node: HTMLAttributeNode): void {
+    const attributeName = getAttributeName(node)
+
+    if (attributeName && HTML_EVENT_ATTRIBUTES.has(attributeName.toLowerCase())) {
+      this.addOffense(
+        `Avoid inline event handler \`${attributeName}\`. Use external JavaScript with \`addEventListener\` instead.`,
+        node.location,
+      )
+    }
+
+    super.visitHTMLAttributeNode(node)
+  }
+
+  private checkInlineScript(node: HTMLElementNode): void {
+    if (!isJavaScriptTagElement(node)) return
+
+    this.addOffense(
+      "Avoid inline `<script>` tags. Use `javascript_include_tag` to include external JavaScript files instead.",
+      node.open_tag!.location,
+    )
+  }
+}
+
+export class HTMLDisallowInlineScriptsRule extends ParserRule {
+  static ruleName = "html-disallow-inline-scripts"
+  static introducedIn = this.version("unreleased")
+
+  get defaultConfig(): FullRuleConfig {
+    return {
+      enabled: false,
+      severity: "warning"
+    }
+  }
+
+  check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
+    const visitor = new HTMLDisallowInlineScriptsVisitor(this.ruleName, context)
+
+    visitor.visit(result.value)
+
+    return visitor.offenses
+  }
+}

javascript/packages/linter/src/rules/html-require-script-nonce.ts

@@ -1,9 +1,9 @@
-import { ParserRule } from "../types.js"
-import { BaseRuleVisitor } from "./rule-utils.js"
-import { getTagLocalName, getAttribute, getStaticAttributeValue, hasAttributeValue, findAttributeByName, isERBOpenTagNode } from "@herb-tools/core"
+import { getTagLocalName, getStaticAttributeValue, hasAttributeValue } from "@herb-tools/core"
+import type { ParseResult, ParserOptions, HTMLElementNode, HTMLAttributeNode } from "@herb-tools/core"
 
+import { BaseRuleVisitor, findElementAttribute, isJavaScriptTagElement } from "./rule-utils.js"
+import { ParserRule } from "../types.js"
 import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
-import type { ParseResult, ParserOptions, HTMLElementNode, HTMLAttributeNode } from "@herb-tools/core"
 
 const HELPERS_WITH_CSP_NONCE_SUPPORT = [
   "ActionView::Helpers::AssetTagHelper#javascript_include_tag",
@@ -20,9 +20,9 @@ class RequireScriptNonceVisitor extends BaseRuleVisitor {
   }
 
   private checkScriptNonce(node: HTMLElementNode): void {
-    if (!this.isJavaScriptTag(node)) return
+    if (!isJavaScriptTagElement(node)) return
 
-    const nonceAttribute = this.findAttribute(node, "nonce")
+    const nonceAttribute = findElementAttribute(node, "nonce")
 
     if (!nonceAttribute || !hasAttributeValue(nonceAttribute)) {
       this.addOffense(
@@ -63,24 +63,6 @@ class RequireScriptNonceVisitor extends BaseRuleVisitor {
 
     return node.element_source ?? "unknown"
   }
-
-  private isJavaScriptTag(node: HTMLElementNode): boolean {
-    const typeAttribute = this.findAttribute(node, "type")
-    if (!typeAttribute) return true
-
-    const typeValue = getStaticAttributeValue(typeAttribute)
-    if (typeValue === null) return true
-
-    return typeValue === "text/javascript" || typeValue === "application/javascript"
-  }
-
-  private findAttribute(node: HTMLElementNode, name: string) {
-    if (isERBOpenTagNode(node.open_tag)) {
-      return findAttributeByName(node.open_tag.children, name)
-    }
-
-    return getAttribute(node, name)
-  }
 }
 
 export class HTMLRequireScriptNonceRule extends ParserRule {

javascript/packages/linter/src/rules/index.ts

@@ -69,6 +69,7 @@ export * from "./html-avoid-both-disabled-and-aria-disabled.js"
 export * from "./html-body-only-elements.js"
 export * from "./html-boolean-attributes-no-value.js"
 export * from "./html-details-has-summary.js"
+export * from "./html-disallow-inline-scripts.js"
 export * from "./html-head-only-elements.js"
 export * from "./html-iframe-has-title.js"
 export * from "./html-img-require-alt.js"
@@ -86,11 +87,11 @@ export * from "./html-no-empty-headings.js"
 export * from "./html-no-nested-links.js"
 export * from "./html-no-positive-tab-index.js"
 export * from "./html-no-self-closing.js"
-export * from "./html-no-unescaped-entities.js"
-export * from "./html-no-unknown-tag.js"
 export * from "./html-no-space-in-tag.js"
 export * from "./html-no-title-attribute.js"
 export * from "./html-no-underscores-in-attribute-names.js"
+export * from "./html-no-unescaped-entities.js"
+export * from "./html-no-unknown-tag.js"
 export * from "./html-require-closing-tags.js"
 export * from "./html-require-script-nonce.js"
 export * from "./html-tag-name-lowercase.js"