/
rules.yaml
252 lines (249 loc) · 8.24 KB
/
rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
- rule:
name: T001
message: Variables should be wrapped in a single whitespace.
flags: re.DOTALL
exclude:
- handlebars
- golang
patterns:
# open
- '{{[^\s#/@^]+'
- '{%-[^\s]+'
- '{%[^\s|\-]+'
# handlebars
- '[^{]{#[^\s-]+|^{#[^\s-]+'
- '[^{]{#-[^\s]+|^{#-[^\s]+'
- '[^{]{\/[^\s]+|^{\/[^\s]+'
- '[^{]{\@[^\s]+|^{\@[^\s]+'
# close
- '[^(\s|^|\-)]+[}|%|#]}'
- '[^(\s|^)]+\-[}|%|#]}'
- \s{2,}[}|%|#]}
- '{[{|%|#]-?\s{2,}'
- rule:
name: T002
message: Double quotes should be used in tags.
flags: re.DOTALL
patterns:
- '{%.?extends\s+?[^\"]\w+'
- rule:
name: T003
message: 'Endblock should have name. Ex: {% endblock body %}.'
flags: re.DOTALL
patterns:
- '{%\s*?endblock\s*?%}'
- rule:
name: D004
message: (Django) Static urls should follow {% static path/to/file %} pattern.
flags: re.DOTALL
# this should be using the static path from django settings
patterns:
- <(?:link|img|script|source)\s[^\>]*?(?:href|src|srcset)=[\"\']/?static/?
- rule:
name: J004
message: (Jinja) Static urls should follow {{ url_for('static'..) }} pattern.
flags: re.DOTALL
# this should be using the static path from django settings
patterns:
- <(?:link|img|script|source)\s[^\>]*?(?:href|src|srcset)=[\"\']/?static/?
- rule:
name: H005
message: Html tag should have lang attribute.
flags: re.DOTALL|re.I
patterns:
- <html\s*(?:(?!lang).)*>
- rule:
name: H006
message: Img tag should have height and width attributes.
flags: re.DOTALL|re.I
patterns:
- <img\s(?:(?!(?:height)=).)*/?>
- <img\s(?:(?!(?:width)=).)*/?>
- rule:
name: H007
message: <!DOCTYPE ... > should be present before the html tag.
flags: re.DOTALL|re.I
patterns:
- ^<html
- rule:
name: H008
message: Attributes should be double quoted.
flags: re.DOTALL|re.I
patterns:
- <(?:\w+)\b(\"[^\"]*\"|'[^']*'|{[^}]*}|[^'\">{}])*(?:class|id|src|width|height|alt|style|lang|title|srcset|media)=\'[^\']*'
- rule:
name: H009
message: Tag names should be lowercase.
flags: re.DOTALL
patterns:
- (?<=<)(?:HTML|BODY|DIV|P|SPAN|TABLE|TR|TD|TH|THEAD|TBODY|CODE|UL|OL|LI|H1|H2|H3|H4|H5|H6)
- rule:
name: H010
message: Attribute names should be lowercase.
flags: re.DOTALL
patterns:
- <\w+[^\>]+?(?:CLASS|ID|SRC|WIDTH|HEIGHT|ALT|STYLE|LANG|TITLE|MEDIA|SRCSET)=
- rule:
name: H011
message: Attribute values should be quoted.
flags: re.DOTALL|re.I|re.M|re.X
patterns:
- |
<(?:(?!meta)\w+)\b(\"[^\"]*\"|'[^']*'|{[^}]*}|[^'\">{}])*(?:class|id|src|width|height|alt|style|lang|title|href|action|method|checked|required|srcset)=[a-zA-Z_-]+
- <(?:meta)\s+?[^>]*?(?:class|id|src|alt|style|lang|title|href|action|method|name)=[a-zA-Z_-]+
- rule:
name: H012
message: There should be no spaces around attribute =.
flags: re.DOTALL
patterns:
- <\w+?(?:(?!\{[%|{|#])[^\n|>])*\s+=
- <\w+?(?:(?!\{[%|{|#])[^\n|>])*=\s
- rule:
name: H013
message: Img tag should have an alt attribute.
flags: re.DOTALL|re.I
patterns:
- <img\s(?:(?!(?:alt)=).)*/?>
- rule:
name: H014
message: Found extra blank lines.
flags: re.DOTALL
patterns:
- "[^\n]{,10}\n{3,}"
- rule:
name: H015
message: Follow h tags with a line break.
flags: re.DOTALL
patterns:
- </h\d?>(?:(?!(.+\r?\n){1,}).)*<[a-zA-Z]+\d?
- rule:
name: H016
message: Missing title tag in html.
flags: re.DOTALL|re.I
patterns:
- <html[^>]*?>(?:(?!<title>).)*</html>
- rule:
name: H017
message: Tag should be self closing.
flags: re.DOTALL|re.I
patterns:
- <(img|input|area|base|br|col[^(?:group)]|embed|hr|link|meta|param|source|track|wbr|command|keygen|menuitem|path)[^>]*?[^/]>
- <(img|input|area|base|br|col|embed|hr|link|meta|param|source|track|wbr|command|keygen|menuitem|path)>
- rule:
name: D018
message: (Django) Internal links should use the {% url ... %} pattern.
flags: re.DOTALL|re.I
patterns:
- <(?:a|div|span|input)\b[^>]*?\s(?:href|data-url|data-src|action)=[\"|'](?!(?:https?://)|javascript:|on\w+:|mailto:|tel:)[\w|/]+
- <form\s+?[^>]*?(?:action)=[\"|'](?!(?:https?://)|javascript:|on\w+:|mailto:|tel:)[\w|/]+
- rule:
name: J018
message: (Jinja) Internal links should use the {{ url_for() ... }} pattern.
flags: re.DOTALL|re.I
patterns:
- <(?:a|div|span|input)\b[^>]*?\s(?:href|data-url|data-src|action)=[\"|'](?!(?:https?://)|javascript:|on\w+:|mailto:|tel:)[\w|/]+
- <form\s+?[^>]*?(?:action)=[\"|'](?!(?:https?://)|javascript:|on\w+:|mailto:|tel:)[\w|/]+
- rule:
name: H019
message: Replace 'javascript:abc()' with on_ event and real url.
flags: re.DOTALL|re.I
patterns:
- <(?:a|div|span|input)\s+?[^>]*?(?:href|data-url)=[\"|']javascript:[\w|/]+
- <form\s+?[^>]*?(?:action)=[\"|']javascript:[\w|/]+
- rule:
name: H020
message: Empty tag pair found. Consider removing.
flags: re.DOTALL|re.I
patterns:
- <((?!td|li|th|dt|dd)\w+)\s*?>\s*?<\/\1>
- rule:
name: H021
message: Inline styles should be avoided.
flags: re.I
patterns:
- <\w+\s(?:[^>]*\s)?style=(?=[^>]*>)
- rule:
name: H022
message: Use HTTPS for external links.
flags: re.I
patterns:
- <\w+\s[^>]*?(?:href|data-url|action|src|url|srcset)=[\"|']http://[^>]*?>
- rule:
name: H023
message: Do not use entity references.
flags: re.I
patterns:
- '&(?!(lt|gt|amp|quot|nbsp|ensp|emsp|thinsp))[#0-9a-z]{,30};'
- rule:
name: H024
message: Omit type on scripts and styles.
flags: re.I
patterns:
- <(?:script|style)[^>]*?type=[\"|'](?:(?:text/css)|(?:text/javascript))[^>]*?>
- rule:
name: H025
message: Tag seems to be an orphan.
flags: re.I|re.DOTALL
patterns:
- <((/?(\w+))\b(\"[^\"]*\"|'[^']*'|{{[^}]*}}|{%[^%]*%}|{#[^%]*#}|[^'\">{}])*)(?<!/)>
- rule:
name: H026
message: Empty id and class tags can be removed.
flags: re.I
patterns:
- <\w+\b[^(?:{(?:%|{|#))>]*?\b(class|id)\b=(\"\"|'')
- <\w+\b[^(?:{(?:%|{|#))>-]*?\b(class|id)\b[^=\"-]
- rule:
name: T027
message: Unclosed string found in template syntax.
flags: re.I
patterns:
# for tags with 3/5/7... quotes
# for single quotes
- "{%((?:(?!'|%}).)*?(')(?:(?!\\2|%}).)*?\\2(?:(?!\\2|%}).)*?)*\\2(?:(?!\\2|%}).)*?%}"
# for double quotes
- "{%((?:(?!\"|%}).)*?(\")(?:(?!\\2|%}).)*?\\2(?:(?!\\2|%}).)*?)*\\2(?:(?!\\2|%}).)*?%}"
# for single quotes
- "{{((?:(?!'|}}).)*?(')(?:(?!\\2|}}).)*?\\2(?:(?!\\2|}}).)*?)*\\2(?:(?!\\2|}}).)*?}}"
# for double quotes
- "{{((?:(?!\"|}}).)*?(\")(?:(?!\\2|}}).)*?\\2(?:(?!\\2|}}).)*?)*\\2(?:(?!\\2|}}).)*?}}"
# for tags with a single quote
- "{%((?:(?!'|\"|%}).)*?('|\")(?:(?!\\2|%}).)*?)%}"
- "{{((?:(?!'|\"|}}).)*?('|\")(?:(?!\\2|}}).)*?)}}"
- rule:
name: T028
message: Consider using spaceless tags inside attribute values. {%- if/for -%}
exclude:
- django
patterns:
- <(?:/?(?:\w+)\b(?:\"[^\"]*\"|'[^']*'|{[^}]*}|[^'\">{}/])*(?<!\bclass)=([\"'])(?:(?!\1).)*?({%)[^-])\s*?(?:if|for|else|end)
- <(?:/?(?:\w+)\b(?:\"[^\"]*\"|'[^']*'|{[^}]*}|[^'\">{}/])*(?<!\bclass)=([\"'])(?:(?!\1).)*?{%(?:(?!%}).)*(?:if|else|for|end)(?:(?!%}).)*[^-](%}))
- rule:
name: H029
message: Consider using lowercase form method values.
patterns:
- <[fF][oO][rR][mM]\b(?:\"[^\"]*\"|'[^']*'|{[^}]*}|[^'\">{}/])*([mM][eE][tT][hH][oO][dD])=(([\"'])[a-zA-Z]*?[A-Z][a-zA-Z]*?\3)
- rule:
name: H030
message: Consider adding a meta description.
flags: re.DOTALL|re.I
patterns:
- <html[^>]*?>(?:(?!<meta[^>]*?name=([\"|'])description\b).)*</html>
- rule:
name: H031
message: Consider adding meta keywords.
flags: re.DOTALL|re.I
patterns:
- <html[^>]*?>(?:(?!<meta[^>]*?name=([\"|'])keywords\b).)*</html>
- rule:
name: T032
message: Extra whitespace found in template tags.
patterns:
- "{%(([\"|'](?:(?!'|\"|%}).)*?[\"|'])|[^(?:%}|'|\"|\n)])*?[ \t]{2,}"
- "{{(([\"|'](?:(?!'|\"|}}).)*?[\"|'])|[^(?:}}|'|\"|\n)])*?[ \t]{2,}"
- rule:
name: H033
message: Extra whitespace found in form action.
patterns:
- <form[^>]+?action=['|"]\s
- <form[^>]+?action=(['|"])({{(?:(?!}}).)*}}|{%(?:(?!%}).)*%}|([^"'{]))*\s+?\1