refactor: integrate erb-no-javascript-tag-helper

Author: markokajzer

docs/docs/blog/whats-new-in-herb-v0-9.md

@@ -414,7 +414,7 @@ This release also introduces two new rule categories: **`erb-safety-*`** rules e
 ##### ERB Safety Rules
 
 - [`erb-no-statement-in-script`](/linter/rules/erb-no-statement-in-script.md)<br/>Avoid `<% %>` tags inside `<script>`. Use `<%= %>` to interpolate values.
-- [`erb-no-javascript-tag-helper`](/linter/rules/erb-no-javascript-tag-helper.md)<br/>Avoid `javascript_tag`. Use inline `<script>` tags instead.
+- [`erb-no-javascript-tag-helper`](/linter/rules/erb-disallow-inline-scripts.md)<br/>Avoid `javascript_tag`. Use inline `<script>` tags instead.
 - [`erb-no-unsafe-script-interpolation`](/linter/rules/erb-no-unsafe-script-interpolation.md)<br/>ERB output in `<script>` tags must use `.to_json` to safely serialize values.
 - [`erb-no-raw-output-in-attribute-value`](/linter/rules/erb-no-raw-output-in-attribute-value.md)<br/>Avoid `<%==` in attribute values. Use `<%= %>` instead.
 - [`erb-no-unsafe-raw`](/linter/rules/erb-no-unsafe-raw.md)<br/>Avoid `raw()` and `.html_safe` in ERB output.

javascript/packages/linter/docs/rules/README.md

@@ -23,6 +23,7 @@ This page contains documentation for all Herb Linter rules.
 #### ERB
 
 - [`erb-comment-syntax`](./erb-comment-syntax.md) - Disallow Ruby comments immediately after ERB tags
+- [`erb-disallow-inline-scripts`](./erb-disallow-inline-scripts.md) - Disallow inline `<script>` tags, `javascript_tag`, and event handler attributes
 - [`erb-no-case-node-children`](./erb-no-case-node-children.md) - Don't use `children` for `case/when` and `case/in` nodes
 - [`erb-no-debug-output`](./erb-no-debug-output.md) - Disallow debug output methods (`p`, `pp`, `puts`, `print`, `debug`) in ERB templates
 - [`erb-no-conditional-html-element`](./erb-no-conditional-html-element.md) - Disallow conditional HTML elements
@@ -34,7 +35,6 @@ This page contains documentation for all Herb Linter rules.
 - [`erb-no-inline-case-conditions`](./erb-no-inline-case-conditions.md) - Disallow inline `case`/`when` and `case`/`in` conditions in a single ERB tag
 - [`erb-no-instance-variables-in-partials`](./erb-no-instance-variables-in-partials.md) - Disallow instance variables in partials
 - [`erb-no-interpolated-class-names`](./erb-no-interpolated-class-names.md) - Disallow ERB interpolation inside CSS class names
-- [`erb-no-javascript-tag-helper`](./erb-no-javascript-tag-helper.md) - Disallow `javascript_tag` helper
 - [`erb-no-output-control-flow`](./erb-no-output-control-flow.md) - Prevents outputting control flow blocks
 - [`erb-no-output-in-attribute-name`](./erb-no-output-in-attribute-name.md) - Disallow ERB output in attribute names
 - [`erb-no-output-in-attribute-position`](./erb-no-output-in-attribute-position.md) - Disallow ERB output in attribute position
@@ -83,7 +83,6 @@ This page contains documentation for all Herb Linter rules.
 - [`html-body-only-elements`](./html-body-only-elements.md) - Require content elements inside `<body>`.
 - [`html-boolean-attributes-no-value`](./html-boolean-attributes-no-value.md) - Prevents values on boolean attributes
 - [`html-details-has-summary`](./html-details-has-summary.md) - Require `<summary>` in `<details>` elements
-- [`html-disallow-inline-scripts`](./html-disallow-inline-scripts.md) - Disallow inline `<script>` tags and event handler attributes
 - [`html-head-only-elements`](./html-head-only-elements.md) - Require head-scoped elements inside `<head>`.
 - [`html-iframe-has-title`](./html-iframe-has-title.md) - `iframe` elements must have a `title` attribute
 - [`html-img-require-alt`](./html-img-require-alt.md) - Requires `alt` attributes on `<img>` tags

…cs/rules/html-disallow-inline-scripts.md …ocs/rules/erb-disallow-inline-scripts.mdjavascript/packages/linter/docs/rules/html-disallow-inline-scripts.md renamed to javascript/packages/linter/docs/rules/erb-disallow-inline-scripts.md javascript/packages/linter/docs/rules/html-disallow-inline-scripts.md renamed to javascript/packages/linter/docs/rules/erb-disallow-inline-scripts.md

@@ -1,6 +1,6 @@
 # Linter Rule: Disallow inline script tags and event handler attributes
 
-**Rule:** `html-disallow-inline-scripts`
+**Rule:** `erb-disallow-inline-scripts`
 
 ## Description
 
@@ -15,6 +15,8 @@ All JavaScript should be included via external assets to support strong CSP poli
 This rule enforces:
 
 - No `<script>` tags embedded directly in templates.
+- No `javascript_tag` Rails helper usage.
+- No `content_tag :script` or `tag.script` Rails helper usage.
 - No event handler attributes (`onclick`, `onmouseover`, etc.).
 
 ## Examples
@@ -61,6 +63,24 @@ This rule enforces:
 </script>
 ```
 
+```erb
+<%= javascript_tag do %>
+  if (a < 1) { <%= unsafe %> }
+<% end %>
+```
+
+```erb
+<%= content_tag :script do %>
+  alert('Hello')
+<% end %>
+```
+
+```erb
+<%= tag.script do %>
+  alert('Hello')
+<% end %>
+```
+
 ```erb
 <button onclick="doSomething()">Click</button>
 ```
@@ -79,6 +99,7 @@ This rule enforces:
 
 ## References
 
+- [Shopify/better-html — `NoJavascriptTagHelper`](https://github.com/Shopify/better-html/blob/main/lib/better_html/test_helper/safe_erb/no_javascript_tag_helper.rb)
 - Inspired by [@pushcx](https://bsky.app/profile/push.cx/post/3lsfddauapk2o)
 - [MDN: Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
 - [wooorm/html-event-attributes](https://github.com/wooorm/html-event-attributes)

javascript/packages/linter/docs/rules/erb-no-javascript-tag-helper.md

@@ -12,6 +12,7 @@ import { ActionViewStrictLocalsFirstLineRule } from "./rules/actionview-strict-l
 import { ActionViewStrictLocalsPartialOnlyRule } from "./rules/actionview-strict-locals-partial-only.js"
 
 import { ERBCommentSyntax } from "./rules/erb-comment-syntax.js";
+import { ERBDisallowInlineScriptsRule } from "./rules/erb-disallow-inline-scripts.js"
 import { ERBNoCaseNodeChildrenRule } from "./rules/erb-no-case-node-children.js"
 import { ERBNoDebugOutputRule } from "./rules/erb-no-debug-output.js"
 import { ERBNoConditionalHTMLElementRule } from "./rules/erb-no-conditional-html-element.js"
@@ -24,7 +25,6 @@ import { ERBNoExtraWhitespaceRule } from "./rules/erb-no-extra-whitespace-inside
 import { ERBNoInlineCaseConditionsRule } from "./rules/erb-no-inline-case-conditions.js"
 import { ERBNoInstanceVariablesInPartialsRule } from "./rules/erb-no-instance-variables-in-partials.js"
 import { ERBNoInterpolatedClassNamesRule } from "./rules/erb-no-interpolated-class-names.js"
-import { ERBNoJavascriptTagHelperRule } from "./rules/erb-no-javascript-tag-helper.js"
 import { ERBNoOutputControlFlowRule } from "./rules/erb-no-output-control-flow.js"
 import { ERBNoOutputInAttributeNameRule } from "./rules/erb-no-output-in-attribute-name.js"
 import { ERBNoOutputInAttributePositionRule } from "./rules/erb-no-output-in-attribute-position.js"
@@ -67,7 +67,6 @@ import { HTMLAvoidBothDisabledAndAriaDisabledRule } from "./rules/html-avoid-bot
 import { HTMLBodyOnlyElementsRule } from "./rules/html-body-only-elements.js"
 import { HTMLBooleanAttributesNoValueRule } from "./rules/html-boolean-attributes-no-value.js"
 import { HTMLDetailsHasSummaryRule } from "./rules/html-details-has-summary.js"
-import { HTMLDisallowInlineScriptsRule } from "./rules/html-disallow-inline-scripts.js"
 import { HTMLHeadOnlyElementsRule } from "./rules/html-head-only-elements.js"
 import { HTMLIframeHasTitleRule } from "./rules/html-iframe-has-title.js"
 import { HTMLImgRequireAltRule } from "./rules/html-img-require-alt.js"
@@ -115,6 +114,7 @@ export const rules: RuleClass[] = [
   ActionViewStrictLocalsPartialOnlyRule,
 
   ERBCommentSyntax,
+  ERBDisallowInlineScriptsRule,
   ERBNoCaseNodeChildrenRule,
   ERBNoDebugOutputRule,
   ERBNoEmptyControlFlowRule,
@@ -127,7 +127,6 @@ export const rules: RuleClass[] = [
   ERBNoInlineCaseConditionsRule,
   ERBNoInstanceVariablesInPartialsRule,
   ERBNoInterpolatedClassNamesRule,
-  ERBNoJavascriptTagHelperRule,
   ERBNoOutputControlFlowRule,
   ERBNoOutputInAttributeNameRule,
   ERBNoOutputInAttributePositionRule,
@@ -170,7 +169,6 @@ export const rules: RuleClass[] = [
   HTMLBodyOnlyElementsRule,
   HTMLBooleanAttributesNoValueRule,
   HTMLDetailsHasSummaryRule,
-  HTMLDisallowInlineScriptsRule,
   HTMLHeadOnlyElementsRule,
   HTMLIframeHasTitleRule,
   HTMLImgRequireAltRule,

javascript/packages/linter/src/rules.ts

@@ -1,9 +1,12 @@
-import { ParserRule } from "../types.js"
-import { BaseRuleVisitor, isJavaScriptTagElement } from "./rule-utils.js"
-import { getTagLocalName, getAttributeName } from "@herb-tools/core"
+import { getTagLocalName, getAttributeName, isERBOpenTagNode } from "@herb-tools/core"
+import type { ParseResult, ParserOptions, HTMLElementNode, HTMLAttributeNode } from "@herb-tools/core"
 
+import { BaseRuleVisitor, isJavaScriptTagElement } from "./rule-utils.js"
 import type { UnboundLintOffense, LintContext, FullRuleConfig } from "../types.js"
-import type { ParseResult, HTMLElementNode, HTMLAttributeNode } from "@herb-tools/core"
+import { ParserRule } from "../types.js"
+
+const JAVASCRIPT_TAG_ELEMENT_SOURCE = "ActionView::Helpers::JavaScriptHelper#javascript_tag"
+const JAVASCRIPT_INCLUDE_TAG_ELEMENT_SOURCE = "ActionView::Helpers::AssetTagHelper#javascript_include_tag"
 
 const HTML_EVENT_ATTRIBUTES = new Set([
   // Window Event Attributes
@@ -112,7 +115,7 @@ const HTML_EVENT_ATTRIBUTES = new Set([
   "ontoggle",
 ])
 
-class HTMLDisallowInlineScriptsVisitor extends BaseRuleVisitor {
+class ERBDisallowInlineScriptsVisitor extends BaseRuleVisitor {
   visitHTMLElementNode(node: HTMLElementNode): void {
     if (getTagLocalName(node) === "script") {
       this.checkInlineScript(node)
@@ -137,15 +140,34 @@ class HTMLDisallowInlineScriptsVisitor extends BaseRuleVisitor {
   private checkInlineScript(node: HTMLElementNode): void {
     if (!isJavaScriptTagElement(node)) return
 
-    this.addOffense(
-      "Avoid inline `<script>` tags. Use `javascript_include_tag` to include external JavaScript files instead.",
-      node.open_tag!.location,
-    )
+    if (this.isJavascriptTagElement(node)) {
+      this.addOffense(
+        "Avoid `javascript_tag`. Use `javascript_include_tag` to include external JavaScript files instead.",
+        node.open_tag!.location,
+      )
+    } else if (!this.isJavascriptIncludeTagElement(node)) {
+      this.addOffense(
+        "Avoid inline `<script>` tags. Use `javascript_include_tag` to include external JavaScript files instead.",
+        node.open_tag!.location,
+      )
+    }
+  }
+
+  private isJavascriptTagElement(node: HTMLElementNode): boolean {
+    if (!isERBOpenTagNode(node.open_tag)) return false
+
+    return node.element_source === JAVASCRIPT_TAG_ELEMENT_SOURCE
+  }
+
+  private isJavascriptIncludeTagElement(node: HTMLElementNode): boolean {
+    if (!isERBOpenTagNode(node.open_tag)) return false
+
+    return node.element_source === JAVASCRIPT_INCLUDE_TAG_ELEMENT_SOURCE
   }
 }
 
-export class HTMLDisallowInlineScriptsRule extends ParserRule {
-  static ruleName = "html-disallow-inline-scripts"
+export class ERBDisallowInlineScriptsRule extends ParserRule {
+  static ruleName = "erb-disallow-inline-scripts"
   static introducedIn = this.version("unreleased")
 
   get defaultConfig(): FullRuleConfig {
@@ -155,8 +177,14 @@ export class HTMLDisallowInlineScriptsRule extends ParserRule {
     }
   }
 
+  get parserOptions(): Partial<ParserOptions> {
+    return {
+      action_view_helpers: true,
+    }
+  }
+
   check(result: ParseResult, context?: Partial<LintContext>): UnboundLintOffense[] {
-    const visitor = new HTMLDisallowInlineScriptsVisitor(this.ruleName, context)
+    const visitor = new ERBDisallowInlineScriptsVisitor(this.ruleName, context)
 
     visitor.visit(result.value)
 

…rc/rules/html-disallow-inline-scripts.ts …src/rules/erb-disallow-inline-scripts.tsjavascript/packages/linter/src/rules/html-disallow-inline-scripts.ts renamed to javascript/packages/linter/src/rules/erb-disallow-inline-scripts.ts javascript/packages/linter/src/rules/html-disallow-inline-scripts.ts renamed to javascript/packages/linter/src/rules/erb-disallow-inline-scripts.ts

@@ -17,6 +17,7 @@ export * from "./actionview-strict-locals-first-line.js"
 export * from "./actionview-strict-locals-partial-only.js"
 
 export * from "./erb-comment-syntax.js"
+export * from "./erb-disallow-inline-scripts.js"
 export * from "./erb-no-case-node-children.js"
 export * from "./erb-no-debug-output.js"
 export * from "./erb-no-conditional-open-tag.js"
@@ -27,7 +28,6 @@ export * from "./erb-no-extra-newline.js"
 export * from "./erb-no-extra-whitespace-inside-tags.js"
 export * from "./erb-no-inline-case-conditions.js"
 export * from "./erb-no-instance-variables-in-partials.js"
-export * from "./erb-no-javascript-tag-helper.js"
 export * from "./erb-no-output-control-flow.js"
 export * from "./erb-no-output-in-attribute-name.js"
 export * from "./erb-no-output-in-attribute-position.js"
@@ -69,7 +69,6 @@ export * from "./html-avoid-both-disabled-and-aria-disabled.js"
 export * from "./html-body-only-elements.js"
 export * from "./html-boolean-attributes-no-value.js"
 export * from "./html-details-has-summary.js"
-export * from "./html-disallow-inline-scripts.js"
 export * from "./html-head-only-elements.js"
 export * from "./html-iframe-has-title.js"
 export * from "./html-img-require-alt.js"