schmelczer-dev/scripts/check-no-js.mjs
2026-06-11 21:35:45 +01:00

72 lines
2.5 KiB
JavaScript

import { readFile } from 'node:fs/promises';
import { dist, requireDist } from './lib/dist.mjs';
import { walk } from './lib/walk.mjs';
const failures = [];
await requireDist();
const files = await walk(dist);
const ALLOWED_JS_ASSET_PATTERNS = [
/[/\\]_astro[/\\]Analytics\.astro_astro_type_script_index_0_lang\.[\w-]+\.js$/,
];
const jsFiles = files.filter(
(file) =>
file.endsWith('.js') &&
!ALLOWED_JS_ASSET_PATTERNS.some((pattern) => pattern.test(file))
);
if (jsFiles.length > 0) {
failures.push(
`Unexpected JavaScript assets:\n${jsFiles.map((file) => `- ${file}`).join('\n')}`
);
}
// Script tags are only allowed if they declare one of these safe `type`
// attributes or match one of the known executable scripts below. All other
// scripts, including untyped ones, which default to executable JavaScript, are
// flagged.
const SAFE_SCRIPT_TYPES = new Set([
'application/ld+json',
'importmap',
'speculationrules',
]);
const ANALYTICS_SCRIPT_SRC_PATTERN =
/\bsrc=["']\/_astro\/Analytics\.astro_astro_type_script_index_0_lang\.[\w-]+\.js["']/i;
function isSafeScriptTag(tag) {
if (tag.includes('data-theme-script')) return true;
if (tag.includes('data-thumbnail-iframe-script')) return true;
if (tag.includes('data-video-thumbnail-script')) return true;
if (ANALYTICS_SCRIPT_SRC_PATTERN.test(tag)) return true;
const typeMatch = tag.match(/\btype=["']([^"']+)["']/i);
if (!typeMatch) return false;
return SAFE_SCRIPT_TYPES.has(typeMatch[1].trim().toLowerCase());
}
for (const file of files.filter((candidate) => candidate.endsWith('.html'))) {
const html = await readFile(file, 'utf8');
const scripts = (html.match(/<script\b[^>]*>/gi) ?? []).filter(
(tag) => !isSafeScriptTag(tag)
);
if (scripts.length) {
failures.push(`Unexpected script tag in ${file}:\n${scripts.join('\n')}`);
}
// Inline event handlers (onclick=, onload=, etc.) execute JavaScript even
// without a <script> tag, so flag any attribute matching `on*=`. We strip
// <script> blocks first to avoid false positives from JSON-LD payloads.
const stripped = html.replace(/<script\b[\s\S]*?<\/script>/gi, '');
const handlerMatches = stripped.match(/\son\w+=/gi);
if (handlerMatches?.length) {
const unique = [...new Set(handlerMatches.map((m) => m.trim()))];
failures.push(`Unexpected inline event handler in ${file}:\n${unique.join('\n')}`);
}
}
if (failures.length > 0) {
console.error(failures.join('\n\n'));
process.exit(1);
}
console.log('No unexpected JavaScript found in dist/.');