Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AllowedScriptType should allow "module" for type script tag #384

Open
jcoyne opened this issue Oct 16, 2024 · 3 comments
Open

AllowedScriptType should allow "module" for type script tag #384

jcoyne opened this issue Oct 16, 2024 · 3 comments

Comments

@jcoyne
Copy link

jcoyne commented Oct 16, 2024
edited
Loading

I don't understand why erb_lint is surfacing this:

Avoid using "module" as type for `<script>` tag. Must be one of: text/javascript (or no type attribute). (not autocorrected)

This is valid HTML: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules#applying_the_module_to_your_html

Similarly "application/ld+json" should be an acceptable value. https://docs.parse.ly/metadata-jsonld/
@jcoyne jcoyne changed the title Module for type script tag AllowedScriptType should allow "module" for type script tag Oct 16, 2024
@davidstosik
Copy link

Hi there! 👋🏻
It looks like the AllowedScriptType rule only allows text/javascript by default. You can easily customize the rule in your configuration file:

---
linters:
  AllowedScriptType:
    enabled: true
    allowed_types:
      - 'application/json'
      - 'text/javascript'
      - 'text/html'
      - 'application/ld+json' # ⬅️ here
      - 'module' # ⬅️ and here
    allow_blank: false
    disallow_inline_scripts: false

(More details in the link I shared above.)

(This PR in BetterHtml seems to be related by the way: Add module as a type of <script>.)

@jcoyne
Copy link
Author

jcoyne commented Oct 17, 2024

Does it make sense to add these to the default acceptable values?

@davidstosik
Copy link

@jcoyne Reading the documentation, I don't think application/ld+json should be added to the defaults:

It is common practice for web developers to use <script> tags with non-executable type attributes, such as application/json or text/html to pass arbitrary data into an html page. Despite not being executable, these tags are subject to the same parsing quirks as executable script tags, and it is therefore more difficult to prevent security issues from creeping in. Consider for instance an application where it is possible to inject the string </script><script> unescaped into a text/html tag, the application would be vulnerable to XSS.

If you want to allow application/ld+json, you should add it to your own configuration.
About the module type however, I'm a little less sure and, to be honest am not familiar enough with the matter to answer categorically.

Meanwhile, you can allow these in your ERB Lint configuration file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcoyne @davidstosik