Rule: html-disallow-inline-scripts
Description
Disallow the use of inline <script> tags and inline JavaScript event handler attributes (e.g. onclick, onload) in HTML templates.
Rationale
Inline JavaScript poses a significant security risk and is incompatible with strict Content Security Policy (CSP) configurations (script-src 'self').
All JavaScript should be included via external assets to support strong CSP policies that prevent cross-site scripting (XSS) attacks.
This rule enforces:
- No
<script> tags embedded directly in templates.
- No event handler attributes (
onclick, onmouseover, etc.).
Examples
✅ Good
<head>
<%= javascript_include_tag "application" %>
</head>
<button class="btn btn-primary">Submit</button>
🚫 Bad
<head>
<script>
alert("Welcome!");
</script>
</head>
<button onclick="alert('Clicked!')">Submit</button>References
Inspired by @pushcx
Rule:
html-disallow-inline-scriptsDescription
Disallow the use of inline
<script>tags and inline JavaScript event handler attributes (e.g.onclick,onload) in HTML templates.Rationale
Inline JavaScript poses a significant security risk and is incompatible with strict Content Security Policy (CSP) configurations (
script-src 'self').All JavaScript should be included via external assets to support strong CSP policies that prevent cross-site scripting (XSS) attacks.
This rule enforces:
<script>tags embedded directly in templates.onclick,onmouseover, etc.).Examples
✅ Good
🚫 Bad
References
Inspired by @pushcx