Skip to content

Commit

Permalink
fix: Respect src attribute
Browse files Browse the repository at this point in the history
  • Loading branch information
@d3xter666
d3xter666 committed Apr 10, 2024
1 parent 759efff commit f53aacd
Show file tree
Hide file tree
Showing 9 changed files with 40 additions and 5 deletions.
6 changes: 5 additions & 1 deletion src/linter/html/linter.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,12 @@ export async function lintHtml(resourceName: string, contentStream: ReadStream):

jsScriptTags.forEach((tag) => {
const scriptContent = tag.textNodes?.map((tNode) => tNode.value).join("").trim();
// Tags with src attribute do not parse and run inline code
const hasSrc = tag.attributes.some((attr) => {
return attr.name.value.toLowerCase() === "src";
});

if (scriptContent) {
if (!hasSrc && scriptContent) {
report.addMessage({
node: tag,
severity: LintMessageSeverity.Warning,
Expand Down
8 changes: 8 additions & 0 deletions test/fixtures/linter/rules/CSPCompliance/NoInlineJS.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,14 @@
});
sap.ui.xmlview({ viewContent: jQuery('#myXml').html() }).placeAt("content");
</script>

<script type="module">
import { log } from "utils";

log("Exporting dog names.");

export const names = ["Kayla", "Bentley", "Gilligan"];
</script>
</body>

</html>
20 changes: 17 additions & 3 deletions test/fixtures/linter/rules/CSPCompliance/NoInlineJS_negative.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,30 @@
</mvc:View>
</script>

<script type="module">
<script src="">
sap.ui.controller("my.own.controller", {
doSomething: function () {
alert("Hello World!");
}
});
</script>

<script src>
console.log("this code won't run");
</script>

<script type="" src="./path/to/js.js">
// should not be reported as it is not a CSP violation
</script>

<script type="module" src>
import { log } from "utils";

log("Exporting dog names.");

export const names = ["Kayla", "Bentley", "Gilligan"];
</script>

<script type="" src="./path/to/js.js"></script>

<script src="./another/path/to/js.js"></script>
</body>

Expand Down
Binary file modified test/lib/detectors/transpilers/xml/snapshots/transpiler.ts.snap
View file
Binary file not shown.
11 changes: 10 additions & 1 deletion test/lib/linter/rules/snapshots/CSPCompliance.ts.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,17 @@ Generated by [AVA](https://avajs.dev).
ruleId: 'ui5-linter-csp-unsafe-inline-script',
severity: 1,
},
{
column: 2,
fatal: undefined,
line: 47,
message: 'Use of unsafe inline script',
messageDetails: 'Content Security Policy (https://ui5.sap.com/1.120/#/topic/fe1a6dba940e479fb7c3bc753f92b28c)',
ruleId: 'ui5-linter-csp-unsafe-inline-script',
severity: 1,
},
],
warningCount: 4,
warningCount: 5,
},
]

Expand Down
Binary file modified test/lib/linter/rules/snapshots/CSPCompliance.ts.snap
View file
Binary file not shown.
Binary file modified test/lib/linter/rules/snapshots/NoDeprecatedApi.ts.snap
View file
Binary file not shown.
Binary file modified test/lib/linter/rules/snapshots/NoGlobals.ts.snap
View file
Binary file not shown.
Binary file modified test/lib/linter/snapshots/linter.ts.snap
View file
Binary file not shown.

0 comments on commit f53aacd

Please sign in to comment.