claude again

scripts/check-no-js.mjs

@@ -35,14 +35,41 @@ if (jsFiles.length > 0) {
   );
 }
 
+// Script tags are only allowed if they declare one of these safe `type`
+// attributes (or are tagged with `data-theme-script`). All other scripts —
+// including untyped ones, which default to executable JavaScript — are
+// flagged.
+const SAFE_SCRIPT_TYPES = new Set([
+  'application/ld+json',
+  'importmap',
+  'speculationrules',
+]);
+
+function isSafeScriptTag(tag) {
+  if (tag.includes('data-theme-script')) return true;
+  const typeMatch = tag.match(/\btype=["']([^"']+)["']/i);
+  if (!typeMatch) return false;
+  return SAFE_SCRIPT_TYPES.has(typeMatch[1].trim().toLowerCase());
+}
+
 for (const file of files.filter((candidate) => candidate.endsWith('.html'))) {
   const html = await readFile(file, 'utf8');
-  const scripts = (
-    html.match(/<script\b(?![^>]*type=["']application\/ld\+json["'])[^>]*>/gi) ?? []
-  ).filter((script) => !script.includes('data-theme-script'));
-  if (scripts?.length) {
+  const scripts = (html.match(/<script\b[^>]*>/gi) ?? []).filter(
+    (tag) => !isSafeScriptTag(tag)
+  );
+  if (scripts.length) {
     failures.push(`Unexpected script tag in ${file}:\n${scripts.join('\n')}`);
   }
+
+  // Inline event handlers (onclick=, onload=, etc.) execute JavaScript even
+  // without a <script> tag, so flag any attribute matching `on*=`. We strip
+  // <script> blocks first to avoid false positives from JSON-LD payloads.
+  const stripped = html.replace(/<script\b[\s\S]*?<\/script>/gi, '');
+  const handlerMatches = stripped.match(/\son\w+=/gi);
+  if (handlerMatches?.length) {
+    const unique = [...new Set(handlerMatches.map((m) => m.trim()))];
+    failures.push(`Unexpected inline event handler in ${file}:\n${unique.join('\n')}`);
+  }
 }
 
 if (failures.length > 0) {