Commit de0e6349 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'ee-winh-inline-script-linter' into 'master'

Forbid all inline script tags in Linter::InlineJavaScript (EE)

See merge request gitlab-org/gitlab-ee!4769
parents 7577d713 94b10d3c
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
= render 'projects/fork_suggestion' = render 'projects/fork_suggestion'
- if @project.feature_available?(:file_locks) - if @project.feature_available?(:file_locks)
-# haml-lint:disable InlineJavaScript
%script#js-file-lock{ type: "application/json" } %script#js-file-lock{ type: "application/json" }
- data = {} - data = {}
- data[:path] = @path - data[:path] = @path
......
...@@ -28,4 +28,5 @@ ...@@ -28,4 +28,5 @@
.form-actions .form-actions
= button_tag 'Create branch', class: 'btn btn-create', tabindex: 3 = button_tag 'Create branch', class: 'btn btn-create', tabindex: 3
= link_to 'Cancel', project_branches_path(@project), class: 'btn btn-cancel' = link_to 'Cancel', project_branches_path(@project), class: 'btn btn-cancel'
-# haml-lint:disable InlineJavaScript
%script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe
...@@ -79,6 +79,7 @@ ...@@ -79,6 +79,7 @@
Enable or disable certain project features and choose access levels. Enable or disable certain project features and choose access levels.
.settings-content .settings-content
= form_for [@project.namespace.becomes(Namespace), @project], remote: true, html: { multipart: true, class: "sharing-permissions-form" }, authenticity_token: true do |f| = form_for [@project.namespace.becomes(Namespace), @project], remote: true, html: { multipart: true, class: "sharing-permissions-form" }, authenticity_token: true do |f|
-# haml-lint:disable InlineJavaScript
%script.js-project-permissions-form-data{ type: "application/json" }= project_permissions_panel_data(@project) %script.js-project-permissions-form-data{ type: "application/json" }= project_permissions_panel_data(@project)
.js-project-permissions-form .js-project-permissions-form
= f.submit 'Save changes', class: "btn btn-save" = f.submit 'Save changes', class: "btn btn-save"
......
...@@ -74,6 +74,7 @@ ...@@ -74,6 +74,7 @@
= _("Commits per day hour (UTC)") = _("Commits per day hour (UTC)")
%canvas#hour-chart %canvas#hour-chart
-# haml-lint:disable InlineJavaScript
%script#projectChartData{ type: "application/json" } %script#projectChartData{ type: "application/json" }
- projectChartData = {}; - projectChartData = {};
- projectChartData['hour'] = @commits_per_time - projectChartData['hour'] = @commits_per_time
......
...@@ -58,6 +58,7 @@ ...@@ -58,6 +58,7 @@
.issue-details.issuable-details .issue-details.issuable-details
.detail-page-description.content-block .detail-page-description.content-block
-# haml-lint:disable InlineJavaScript
%script#js-issuable-app-initial-data{ type: "application/json" }= issuable_initial_data(@issue).to_json %script#js-issuable-app-initial-data{ type: "application/json" }= issuable_initial_data(@issue).to_json
#js-issuable-app #js-issuable-app
%h2.title= markdown_field(@issue, :title) %h2.title= markdown_field(@issue, :title)
......
...@@ -4,4 +4,5 @@ ...@@ -4,4 +4,5 @@
%canvas#build_timesChart{ height: 200 } %canvas#build_timesChart{ height: 200 }
-# haml-lint:disable InlineJavaScript
%script#pipelinesTimesChartsData{ type: "application/json" }= { :labels => @charts[:pipeline_times].labels, :values => @charts[:pipeline_times].pipeline_times }.to_json.html_safe %script#pipelinesTimesChartsData{ type: "application/json" }= { :labels => @charts[:pipeline_times].labels, :values => @charts[:pipeline_times].pipeline_times }.to_json.html_safe
...@@ -26,6 +26,7 @@ ...@@ -26,6 +26,7 @@
= _("Pipelines for last year") = _("Pipelines for last year")
%canvas#yearChart.padded{ height: 250 } %canvas#yearChart.padded{ height: 250 }
-# haml-lint:disable InlineJavaScript
%script#pipelinesChartsData{ type: "application/json" } %script#pipelinesChartsData{ type: "application/json" }
- chartData = [] - chartData = []
- [:week, :month, :year].each do |scope| - [:week, :month, :year].each do |scope|
......
...@@ -20,4 +20,5 @@ ...@@ -20,4 +20,5 @@
= f.submit 'Create pipeline', class: 'btn btn-create', tabindex: 3 = f.submit 'Create pipeline', class: 'btn btn-create', tabindex: 3
= link_to 'Cancel', project_pipelines_path(@project), class: 'btn btn-cancel' = link_to 'Cancel', project_pipelines_path(@project), class: 'btn btn-cancel'
-# haml-lint:disable InlineJavaScript
%script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe
...@@ -43,4 +43,5 @@ ...@@ -43,4 +43,5 @@
.form-actions .form-actions
= button_tag s_('TagsPage|Create tag'), class: 'btn btn-create' = button_tag s_('TagsPage|Create tag'), class: 'btn btn-create'
= link_to s_('TagsPage|Cancel'), project_tags_path(@project), class: 'btn btn-cancel' = link_to s_('TagsPage|Cancel'), project_tags_path(@project), class: 'btn btn-cancel'
-# haml-lint:disable InlineJavaScript
%script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe
...@@ -9,6 +9,7 @@ ...@@ -9,6 +9,7 @@
- content_for :page_specific_javascripts do - content_for :page_specific_javascripts do
= webpack_bundle_tag 'common_vue' = webpack_bundle_tag 'common_vue'
-# haml-lint:disable InlineJavaScript
%script#js-board-template{ type: "text/x-template" }= render "shared/boards/components/board" %script#js-board-template{ type: "text/x-template" }= render "shared/boards/components/board"
%script#js-board-modal-filter{ type: "text/x-template" }= render "shared/issuable/search_bar", type: :boards_modal %script#js-board-modal-filter{ type: "text/x-template" }= render "shared/issuable/search_bar", type: :boards_modal
%script#js-board-promotion{ type: "text/x-template" }= render "shared/promotions/promote_issue_board" %script#js-board-promotion{ type: "text/x-template" }= render "shared/promotions/promote_issue_board"
......
...@@ -125,10 +125,12 @@ ...@@ -125,10 +125,12 @@
= render 'shared/promotions/promote_issue_weights' = render 'shared/promotions/promote_issue_weights'
- if issuable.has_attribute?(:confidential) - if issuable.has_attribute?(:confidential)
-# haml-lint:disable InlineJavaScript
%script#js-confidential-issue-data{ type: "application/json" }= { is_confidential: @issue.confidential, is_editable: can_edit_issuable }.to_json.html_safe %script#js-confidential-issue-data{ type: "application/json" }= { is_confidential: @issue.confidential, is_editable: can_edit_issuable }.to_json.html_safe
#js-confidential-entry-point #js-confidential-entry-point
- if issuable.has_attribute?(:discussion_locked) - if issuable.has_attribute?(:discussion_locked)
-# haml-lint:disable InlineJavaScript
%script#js-lock-issue-data{ type: "application/json" }= { is_locked: issuable.discussion_locked?, is_editable: can_edit_issuable }.to_json.html_safe %script#js-lock-issue-data{ type: "application/json" }= { is_locked: issuable.discussion_locked?, is_editable: can_edit_issuable }.to_json.html_safe
#js-lock-entry-point #js-lock-entry-point
...@@ -165,4 +167,5 @@ ...@@ -165,4 +167,5 @@
= _('Move') = _('Move')
= icon('spinner spin', class: 'sidebar-move-issue-confirmation-loading-icon') = icon('spinner spin', class: 'sidebar-move-issue-confirmation-loading-icon')
-# haml-lint:disable InlineJavaScript
%script.js-sidebar-options{ type: "application/json" }= issuable_sidebar_options(issuable, can_edit_issuable).to_json.html_safe %script.js-sidebar-options{ type: "application/json" }= issuable_sidebar_options(issuable, can_edit_issuable).to_json.html_safe
...@@ -35,4 +35,5 @@ ...@@ -35,4 +35,5 @@
is locked. Only is locked. Only
%b project members %b project members
can comment. can comment.
-# haml-lint:disable InlineJavaScript
%script.js-notes-data{ type: "application/json" }= initial_notes_data(autocomplete).to_json.html_safe %script.js-notes-data{ type: "application/json" }= initial_notes_data(autocomplete).to_json.html_safe
#js-authenticate-u2f #js-authenticate-u2f
%a.btn.btn-block.btn-info#js-login-2fa-device{ href: '#' } Sign in via 2FA code %a.btn.btn-block.btn-info#js-login-2fa-device{ href: '#' } Sign in via 2FA code
-# haml-lint:disable InlineJavaScript
%script#js-authenticate-u2f-not-supported{ type: "text/template" } %script#js-authenticate-u2f-not-supported{ type: "text/template" }
%p Your browser doesn't support U2F. Please use Google Chrome desktop (version 41 or newer). %p Your browser doesn't support U2F. Please use Google Chrome desktop (version 41 or newer).
......
#js-register-u2f #js-register-u2f
-# haml-lint:disable InlineJavaScript
%script#js-register-u2f-not-supported{ type: "text/template" } %script#js-register-u2f-not-supported{ type: "text/template" }
%p Your browser doesn't support U2F. Please use Google Chrome desktop (version 41 or newer). %p Your browser doesn't support U2F. Please use Google Chrome desktop (version 41 or newer).
......
...@@ -118,7 +118,7 @@ ...@@ -118,7 +118,7 @@
%td= @stats[:merge_requests_merged][index] %td= @stats[:merge_requests_merged][index]
%td= @stats[:total_events][index] %td= @stats[:total_events][index]
-# haml-lint:disable InlineJavaScript
%script#js-analytics-data{ type: "application/json" } %script#js-analytics-data{ type: "application/json" }
- data = {} - data = {}
- data[:labels] = @users.map(&:name) - data[:labels] = @users.map(&:name)
......
= webpack_bundle_tag 'add_gitlab_slack_application' = webpack_bundle_tag 'add_gitlab_slack_application'
-# haml-lint:disable InlineJavaScript
%script#js-add-gitlab-slack-application-entry-data{ type: "application/json" } %script#js-add-gitlab-slack-application-entry-data{ type: "application/json" }
= add_to_slack_data(@projects) = add_to_slack_data(@projects)
......
...@@ -12,6 +12,12 @@ unless Rails.env.production? ...@@ -12,6 +12,12 @@ unless Rails.env.production?
record_lint(node, 'Inline JavaScript is discouraged (https://docs.gitlab.com/ee/development/gotchas.html#do-not-use-inline-javascript-in-views)') record_lint(node, 'Inline JavaScript is discouraged (https://docs.gitlab.com/ee/development/gotchas.html#do-not-use-inline-javascript-in-views)')
end end
def visit_tag(node)
return unless node.tag_name == 'script'
record_lint(node, 'Inline JavaScript is discouraged (https://docs.gitlab.com/ee/development/gotchas.html#do-not-use-inline-javascript-in-views)')
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment