From aea9b62737886386fbc2288a47fc5eff04b27dca Mon Sep 17 00:00:00 2001
From: Manuel Puyol <manuelpuyol@github.com>
Date: Thu, 24 Mar 2022 17:07:37 +0000
Subject: [PATCH 1/3] Add rule to prohibit building script tags in the client

---
 README.md                            |  1 +
 docs/rules/no-script-tag-building.md | 24 ++++++++++++++++++
 lib/configs/recommended.js           |  1 +
 lib/index.js                         |  1 +
 lib/rules/no-script-tag-building.js  | 30 ++++++++++++++++++++++
 tests/no-script-tag-building.js      | 38 ++++++++++++++++++++++++++++
 6 files changed, 95 insertions(+)
 create mode 100644 docs/rules/no-script-tag-building.md
 create mode 100644 lib/rules/no-script-tag-building.js
 create mode 100644 tests/no-script-tag-building.js

diff --git a/README.md b/README.md
index 24cde393..e19efc10 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,7 @@ The available configs are:
 - [No Implicit Buggy Globals](./docs/rules/no-implicit-buggy-globals.md)
 - [No Inner HTML](./docs/rules/no-inner-html.md)
 - [No InnerText](./docs/rules/no-innerText.md)
+- [No Script Tag Building](./docs/rules/no-script-tag-building.md)
 - [No Then](./docs/rules/no-then.md)
 - [No Useless Passive](./docs/rules/no-useless-passive.md)
 - [Prefer Observers](./docs/rules/prefer-observers.md)
diff --git a/docs/rules/no-script-tag-building.md b/docs/rules/no-script-tag-building.md
new file mode 100644
index 00000000..3342cf84
--- /dev/null
+++ b/docs/rules/no-script-tag-building.md
@@ -0,0 +1,24 @@
+# No Script Tag Building
+
+## Rule Details
+
+Creating dynamic script tags bypasses a lot of security measures - like SRIs - and pose a potential threat to your application.
+Instead of creating a `script` tag in the client, provide all necessary `script` tags in the page's HTML.
+
+👎 Examples of **incorrect** code for this rule:
+
+```js
+document.createElement('script')
+document.getElementById('some-id').type = 'text/javascript'
+```
+
+👍 Examples of **correct** code for this rule:
+
+```html
+<!-- index.html -->
+<script src="/index.js" type="text/javascript">
+```
+
+## Version
+
+4.3.2
diff --git a/lib/configs/recommended.js b/lib/configs/recommended.js
index b6711738..5802c26d 100644
--- a/lib/configs/recommended.js
+++ b/lib/configs/recommended.js
@@ -23,6 +23,7 @@ module.exports = {
     'github/array-foreach': 'error',
     'github/no-implicit-buggy-globals': 'error',
     'github/no-then': 'error',
+    'github/no-script-tag-building': 'error',
     'i18n-text/no-en': ['error'],
     'import/default': 'error',
     'import/export': 'error',
diff --git a/lib/index.js b/lib/index.js
index 3bd81bf7..9147dbbc 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -12,6 +12,7 @@ module.exports = {
     'no-implicit-buggy-globals': require('./rules/no-implicit-buggy-globals'),
     'no-inner-html': require('./rules/no-inner-html'),
     'no-innerText': require('./rules/no-innerText'),
+    'no-script-tag-building': require('./rules/no-script-tag-building'),
     'no-then': require('./rules/no-then'),
     'no-useless-passive': require('./rules/no-useless-passive'),
     'prefer-observers': require('./rules/prefer-observers'),
diff --git a/lib/rules/no-script-tag-building.js b/lib/rules/no-script-tag-building.js
new file mode 100644
index 00000000..7eceb2f3
--- /dev/null
+++ b/lib/rules/no-script-tag-building.js
@@ -0,0 +1,30 @@
+module.exports = {
+  meta: {
+    type: 'suggestion',
+    docs: {
+      description: 'disallow marking a event handler as passive when it has no effect',
+      url: require('../url')(module)
+    },
+    fixable: 'code',
+    schema: []
+  },
+
+  create(context) {
+    return {
+      'CallExpression[callee.property.name="createElement"][arguments.length > 0]': function (node) {
+        if (node.arguments[0].value !== 'script') return
+
+        context.report({
+          node: node.arguments[0],
+          message: "Don't create dynamic script tags, add them in the server template instead."
+        })
+      },
+      'AssignmentExpression[left.property.name="type"][right.value="text/javascript"]': function (node) {
+        context.report({
+          node: node.right,
+          message: "Don't create dynamic script tags, add them in the server template instead."
+        })
+      }
+    }
+  }
+}
diff --git a/tests/no-script-tag-building.js b/tests/no-script-tag-building.js
new file mode 100644
index 00000000..60e1e78f
--- /dev/null
+++ b/tests/no-script-tag-building.js
@@ -0,0 +1,38 @@
+const rule = require('../lib/rules/no-script-tag-building')
+const RuleTester = require('eslint').RuleTester
+
+const ruleTester = new RuleTester()
+
+ruleTester.run('no-script-tag-building', rule, {
+  valid: [
+    {
+      code: 'document.createElement("div")'
+    },
+    {
+      code: 'document.createElement("span")'
+    },
+    {
+      code: 'document.createElement("span").type = "foo"'
+    }
+  ],
+  invalid: [
+    {
+      code: 'document.createElement("script")',
+      errors: [
+        {
+          message: "Don't create dynamic script tags, add them in the server template instead.",
+          type: 'Literal'
+        }
+      ]
+    },
+    {
+      code: 'document.createElement("span").type = "text/javascript"',
+      errors: [
+        {
+          message: "Don't create dynamic script tags, add them in the server template instead.",
+          type: 'Literal'
+        }
+      ]
+    }
+  ]
+})

From 0bb4d4b47ec017bf5a782eda855c7ccf58da3212 Mon Sep 17 00:00:00 2001
From: Manuel Puyol <manuelpuyol@github.com>
Date: Thu, 24 Mar 2022 19:22:11 +0000
Subject: [PATCH 2/3] Update to no-dynamic-script-tag

---
 README.md                                                     | 2 +-
 .../{no-script-tag-building.md => no-dynamic-script-tag.md}   | 2 +-
 lib/configs/recommended.js                                    | 2 +-
 lib/index.js                                                  | 2 +-
 .../{no-script-tag-building.js => no-dynamic-script-tag.js}   | 2 +-
 tests/{no-script-tag-building.js => no-dynamic-script-tag.js} | 4 ++--
 6 files changed, 7 insertions(+), 7 deletions(-)
 rename docs/rules/{no-script-tag-building.md => no-dynamic-script-tag.md} (95%)
 rename lib/rules/{no-script-tag-building.js => no-dynamic-script-tag.js} (90%)
 rename tests/{no-script-tag-building.js => no-dynamic-script-tag.js} (87%)

diff --git a/README.md b/README.md
index e19efc10..4eac90e2 100644
--- a/README.md
+++ b/README.md
@@ -50,10 +50,10 @@ The available configs are:
 - [No Blur](./docs/rules/no-blur.md)
 - [No D None](./docs/rules/no-d-none.md)
 - [No Dataset](./docs/rules/no-dataset.md)
+- [No Dynamic Script Tag](./docs/rules/no-dynamic-script-tag.md)
 - [No Implicit Buggy Globals](./docs/rules/no-implicit-buggy-globals.md)
 - [No Inner HTML](./docs/rules/no-inner-html.md)
 - [No InnerText](./docs/rules/no-innerText.md)
-- [No Script Tag Building](./docs/rules/no-script-tag-building.md)
 - [No Then](./docs/rules/no-then.md)
 - [No Useless Passive](./docs/rules/no-useless-passive.md)
 - [Prefer Observers](./docs/rules/prefer-observers.md)
diff --git a/docs/rules/no-script-tag-building.md b/docs/rules/no-dynamic-script-tag.md
similarity index 95%
rename from docs/rules/no-script-tag-building.md
rename to docs/rules/no-dynamic-script-tag.md
index 3342cf84..5f8fd953 100644
--- a/docs/rules/no-script-tag-building.md
+++ b/docs/rules/no-dynamic-script-tag.md
@@ -1,4 +1,4 @@
-# No Script Tag Building
+# No Dynamic Script Tag
 
 ## Rule Details
 
diff --git a/lib/configs/recommended.js b/lib/configs/recommended.js
index 5802c26d..e2861f78 100644
--- a/lib/configs/recommended.js
+++ b/lib/configs/recommended.js
@@ -23,7 +23,7 @@ module.exports = {
     'github/array-foreach': 'error',
     'github/no-implicit-buggy-globals': 'error',
     'github/no-then': 'error',
-    'github/no-script-tag-building': 'error',
+    'github/no-dynamic-script-tag': 'error',
     'i18n-text/no-en': ['error'],
     'import/default': 'error',
     'import/export': 'error',
diff --git a/lib/index.js b/lib/index.js
index 9147dbbc..838ec673 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -12,7 +12,7 @@ module.exports = {
     'no-implicit-buggy-globals': require('./rules/no-implicit-buggy-globals'),
     'no-inner-html': require('./rules/no-inner-html'),
     'no-innerText': require('./rules/no-innerText'),
-    'no-script-tag-building': require('./rules/no-script-tag-building'),
+    'no-dynamic-script-tag': require('./rules/no-dynamic-script-tag'),
     'no-then': require('./rules/no-then'),
     'no-useless-passive': require('./rules/no-useless-passive'),
     'prefer-observers': require('./rules/prefer-observers'),
diff --git a/lib/rules/no-script-tag-building.js b/lib/rules/no-dynamic-script-tag.js
similarity index 90%
rename from lib/rules/no-script-tag-building.js
rename to lib/rules/no-dynamic-script-tag.js
index 7eceb2f3..6a44bb1c 100644
--- a/lib/rules/no-script-tag-building.js
+++ b/lib/rules/no-dynamic-script-tag.js
@@ -2,7 +2,7 @@ module.exports = {
   meta: {
     type: 'suggestion',
     docs: {
-      description: 'disallow marking a event handler as passive when it has no effect',
+      description: 'disallow creating dynamic script tags',
       url: require('../url')(module)
     },
     fixable: 'code',
diff --git a/tests/no-script-tag-building.js b/tests/no-dynamic-script-tag.js
similarity index 87%
rename from tests/no-script-tag-building.js
rename to tests/no-dynamic-script-tag.js
index 60e1e78f..cd57b217 100644
--- a/tests/no-script-tag-building.js
+++ b/tests/no-dynamic-script-tag.js
@@ -1,9 +1,9 @@
-const rule = require('../lib/rules/no-script-tag-building')
+const rule = require('../lib/rules/no-dynamic-script-tag')
 const RuleTester = require('eslint').RuleTester
 
 const ruleTester = new RuleTester()
 
-ruleTester.run('no-script-tag-building', rule, {
+ruleTester.run('no-dynamic-script-tag', rule, {
   valid: [
     {
       code: 'document.createElement("div")'

From 97d7f2b2bfc505828bb80eb522cd02ca2f6b1763 Mon Sep 17 00:00:00 2001
From: Manuel Puyol <manuelpuyol@github.com>
Date: Fri, 25 Mar 2022 09:48:49 -0500
Subject: [PATCH 3/3] Update lib/rules/no-dynamic-script-tag.js
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Kristján Oddsson <koddsson@gmail.com>
---
 lib/rules/no-dynamic-script-tag.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/rules/no-dynamic-script-tag.js b/lib/rules/no-dynamic-script-tag.js
index 6a44bb1c..ef494b8b 100644
--- a/lib/rules/no-dynamic-script-tag.js
+++ b/lib/rules/no-dynamic-script-tag.js
@@ -5,7 +5,6 @@ module.exports = {
       description: 'disallow creating dynamic script tags',
       url: require('../url')(module)
     },
-    fixable: 'code',
     schema: []
   },