Merge branch 'winh-inline-script-linter' into 'master'

Forbid all inline script tags in Linter::InlineJavaScript

See merge request gitlab-org/gitlab-ce!17437

app/views/projects/branches/new.html.haml

@@ -28,4 +28,5 @@
   .form-actions
     = button_tag 'Create branch', class: 'btn btn-create', tabindex: 3
     = link_to 'Cancel', project_branches_path(@project), class: 'btn btn-cancel'
+-# haml-lint:disable InlineJavaScript
 %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe

app/views/projects/edit.html.haml

@@ -70,6 +70,7 @@
         Enable or disable certain project features and choose access levels.
     .settings-content
       = form_for [@project.namespace.becomes(Namespace), @project], remote: true, html: { multipart: true, class: "sharing-permissions-form" }, authenticity_token: true do |f|
+        -# haml-lint:disable InlineJavaScript
         %script.js-project-permissions-form-data{ type: "application/json" }= project_permissions_panel_data(@project)
         .js-project-permissions-form
         = f.submit 'Save changes', class: "btn btn-save"

app/views/projects/graphs/charts.html.haml

@@ -74,6 +74,7 @@
           = _("Commits per day hour (UTC)")
         %canvas#hour-chart
 
+-# haml-lint:disable InlineJavaScript
 %script#projectChartData{ type: "application/json" }
   - projectChartData = {};
   - projectChartData['hour'] = @commits_per_time

app/views/projects/issues/show.html.haml

@@ -55,6 +55,7 @@
 
 .issue-details.issuable-details
   .detail-page-description.content-block
+    -# haml-lint:disable InlineJavaScript
     %script#js-issuable-app-initial-data{ type: "application/json" }= issuable_initial_data(@issue).to_json
     #js-issuable-app
       %h2.title= markdown_field(@issue, :title)

app/views/projects/pipelines/charts/_pipeline_times.haml

@@ -4,4 +4,5 @@
 
   %canvas#build_timesChart{ height: 200 }
 
+-# haml-lint:disable InlineJavaScript
 %script#pipelinesTimesChartsData{ type: "application/json" }= { :labels => @charts[:pipeline_times].labels, :values => @charts[:pipeline_times].pipeline_times }.to_json.html_safe

app/views/projects/pipelines/charts/_pipelines.haml

@@ -26,6 +26,7 @@
     = _("Pipelines for last year")
   %canvas#yearChart.padded{ height: 250 }
 
+-# haml-lint:disable InlineJavaScript
 %script#pipelinesChartsData{ type: "application/json" }
   - chartData = []
   - [:week, :month, :year].each do |scope|

app/views/projects/pipelines/new.html.haml

@@ -20,4 +20,5 @@
     = f.submit 'Create pipeline', class: 'btn btn-create', tabindex: 3
     = link_to 'Cancel', project_pipelines_path(@project), class: 'btn btn-cancel'
 
+-# haml-lint:disable InlineJavaScript
 %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe

app/views/projects/tags/new.html.haml

@@ -43,4 +43,5 @@
   .form-actions
     = button_tag s_('TagsPage|Create tag'), class: 'btn btn-create'
     = link_to s_('TagsPage|Cancel'), project_tags_path(@project), class: 'btn btn-cancel'
+-# haml-lint:disable InlineJavaScript
 %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe

app/views/shared/boards/_show.html.haml

@@ -7,6 +7,7 @@
 - content_for :page_specific_javascripts do
   = webpack_bundle_tag 'common_vue'
 
+  -# haml-lint:disable InlineJavaScript
   %script#js-board-template{ type: "text/x-template" }= render "shared/boards/components/board"
   %script#js-board-modal-filter{ type: "text/x-template" }= render "shared/issuable/search_bar", type: :boards_modal
 

app/views/shared/issuable/_sidebar.html.haml

@@ -117,10 +117,12 @@
                   = render partial: "shared/issuable/label_page_create"
 
       - if issuable.has_attribute?(:confidential)
+        -# haml-lint:disable InlineJavaScript
         %script#js-confidential-issue-data{ type: "application/json" }= { is_confidential: @issue.confidential, is_editable: can_edit_issuable }.to_json.html_safe
         #js-confidential-entry-point
 
       - if issuable.has_attribute?(:discussion_locked)
+        -# haml-lint:disable InlineJavaScript
         %script#js-lock-issue-data{ type: "application/json" }= { is_locked: issuable.discussion_locked?, is_editable: can_edit_issuable }.to_json.html_safe
         #js-lock-entry-point
 
@@ -157,4 +159,5 @@
                   = _('Move')
                   = icon('spinner spin', class: 'sidebar-move-issue-confirmation-loading-icon')
 
+    -# haml-lint:disable InlineJavaScript
     %script.js-sidebar-options{ type: "application/json" }= issuable_sidebar_options(issuable, can_edit_issuable).to_json.html_safe

app/views/shared/notes/_notes_with_form.html.haml

@@ -35,4 +35,5 @@
         is locked. Only
         %b project members
         can comment.
+-# haml-lint:disable InlineJavaScript
 %script.js-notes-data{ type: "application/json" }= initial_notes_data(autocomplete).to_json.html_safe

app/views/u2f/_authenticate.html.haml

 #js-authenticate-u2f
 %a.btn.btn-block.btn-info#js-login-2fa-device{ href: '#' } Sign in via 2FA code
 
+-# haml-lint:disable InlineJavaScript
 %script#js-authenticate-u2f-not-supported{ type: "text/template" }
   %p Your browser doesn't support U2F. Please use Google Chrome desktop (version 41 or newer).
 

app/views/u2f/_register.html.haml

 #js-register-u2f
 
+-# haml-lint:disable InlineJavaScript
 %script#js-register-u2f-not-supported{ type: "text/template" }
   %p Your browser doesn't support U2F. Please use Google Chrome desktop (version 41 or newer).
 

lib/haml_lint/inline_javascript.rb

@@ -12,6 +12,12 @@ unless Rails.env.production?
 
         record_lint(node, 'Inline JavaScript is discouraged (https://docs.gitlab.com/ee/development/gotchas.html#do-not-use-inline-javascript-in-views)')
       end
+
+      def visit_tag(node)
+        return unless node.tag_name == 'script'
+
+        record_lint(node, 'Inline JavaScript is discouraged (https://docs.gitlab.com/ee/development/gotchas.html#do-not-use-inline-javascript-in-views)')
+      end
     end
   end
 end