fix: Respect src attribute for script tags and include module type for checks

src/detectors/transpilers/html/parser.ts

@@ -61,6 +61,7 @@ export async function extractJSScriptTags(contentStream: ReadStream) {
 				return attr.name.value !== "type" ||
 					(attr.name.value === "type" &&
 					["",
+						"module",
 						"text/javascript",
 						"application/javascript", /* legacy */
 					].includes(attr.value.value.toLowerCase()));

src/linter/html/linter.ts

@@ -12,9 +12,12 @@ export async function lintHtml(resourceName: string, contentStream: ReadStream):
 	const jsScriptTags = await extractJSScriptTags(contentStream);
 
 	jsScriptTags.forEach((tag) => {
-		const scriptContent = tag.textNodes?.map((tNode) => tNode.value).join("").trim();
+		// Tags with src attribute do not parse and run inline code
+		const hasSrc = tag.attributes.some((attr) => {
+			return attr.name.value.toLowerCase() === "src";
+		});
 
-		if (scriptContent) {
+		if (!hasSrc && tag.textNodes?.length > 0) {
 			report.addMessage({
 				node: tag,
 				severity: LintMessageSeverity.Warning,

test/fixtures/linter/rules/CSPCompliance/NoInlineJS.html

@@ -43,6 +43,18 @@
 		});
 		sap.ui.xmlview({ viewContent: jQuery('#myXml').html() }).placeAt("content");
 	</script>
+
+	<script type="module">
+		import { log } from "utils";
+
+		log("Exporting dog names.");
+
+		export const names = ["Kayla", "Bentley", "Gilligan"];
+	</script>
+
+	<script>
+		// This one should be reported!
+	</script>
 </body>
 
 </html>

test/fixtures/linter/rules/CSPCompliance/NoInlineJS_negative.html

@@ -16,7 +16,23 @@
 		</mvc:View>
 	</script>
 
-	<script type="module">
+	<script src="">
+		sap.ui.controller("my.own.controller", {
+			doSomething: function () {
+				alert("Hello World!");
+			}
+		});
+	</script>
+
+	<script src>
+		console.log("this code won't run");
+	</script>
+
+	<script type="" src="./path/to/js.js">
+		 // should not be reported as it is not a CSP violation
+	</script>
+
+	<script type="module" src>
 		import { log } from "utils";
 
 		log("Exporting dog names.");

test/lib/linter/rules/snapshots/CSPCompliance.ts.md

@@ -51,8 +51,26 @@ Generated by [AVA](https://avajs.dev).
             ruleId: 'ui5-linter-csp-unsafe-inline-script',
             severity: 1,
           },
+          {
+            column: 2,
+            fatal: undefined,
+            line: 47,
+            message: 'Use of unsafe inline script',
+            messageDetails: 'Content Security Policy (https://ui5.sap.com/1.120/#/topic/fe1a6dba940e479fb7c3bc753f92b28c)',
+            ruleId: 'ui5-linter-csp-unsafe-inline-script',
+            severity: 1,
+          },
+          {
+            column: 2,
+            fatal: undefined,
+            line: 55,
+            message: 'Use of unsafe inline script',
+            messageDetails: 'Content Security Policy (https://ui5.sap.com/1.120/#/topic/fe1a6dba940e479fb7c3bc753f92b28c)',
+            ruleId: 'ui5-linter-csp-unsafe-inline-script',
+            severity: 1,
+          },
         ],
-        warningCount: 4,
+        warningCount: 6,
       },
     ]