HTML linting: false positives from @-substituted attribute values in initialPosition

[veshivas]

Check for existing issues

• Completed

Environment

• Reproduced on Vale v3.13.0 and v3.14.0
• Affects .html files only (walker-based linting path)

Describe the bug / provide steps to reproduce it

Description

When linting HTML files, Vale produces false-positive alerts for words that appear as substrings inside HTML attribute values — not in prose. The root cause is in initialPosition (internal/core/location.go).

Root cause

The HTML walker (walk.go) progressively replaces processed text-node content with @ characters in its context field (subInplace). This substitution can corrupt adjacent HTML attribute values when a text-node string happens to be a substring of an attribute value.

Example: a text node containing "at" gets substituted globally in context, turning:

class="status technology-preview"

into:

class="st@@us technology-preview"

The word-boundary regex then matches "us" in "st@@us" — because @ is not a \w character — and reports a false positive at the attribute's column position.

There is also a secondary issue: the strings.Index fallback path (used when the regex finds no match) has no word-boundary guard, so it can match a short pattern like "us" inside "status" in the raw HTML.

Minimal reproduction

The Microsoft We rule matches us using the pattern (?<![a-zA-Z])us(?![a-zA-Z]). Despite the negative lookahead/lookbehind, the false positive is not suppressed — because these guards apply when Vale matches the rule pattern against extracted prose text, not during position mapping.

HTML containing:

<span class="status technology-preview"></span>

Vale reports a warning for us at the column of the status attribute value, even though the <span> is empty and IgnoredClasses = status is set.

IgnoredClasses does not prevent this because it suppresses linting of text content inside matching elements. An empty element has no text content to suppress; the false positive comes from the position-mapping step, not the rule-matching step. The same false positive occurs regardless of whether the rule uses word boundaries, negative lookahead/lookbehind, or any other guard — all such guards are evaluated against the extracted prose, not the raw HTML context used by initialPosition.

Fix

Two guards in initialPosition (internal/core/location.go):

1. fsi path: skip any regex match where the character at start-1 or end+1 in the context is @. Such boundaries are artifacts of walker substitution, not real word boundaries in prose. When all candidates are skipped, fall back to guessLocation.

2. strings.Index fallback path: check whether the character before or after the match is a word character (\w). If so, the match is a substring of a longer token and the position is unreliable — fall back to guessLocation.

[jdkato]

Can you share your .vale.ini file? class values are not linted, so there’s something else going on here.

[veshivas]

Here is the .vale.ini file that we have been using for a while now:

# Core settings
StylesPath = styles
MinAlertLevel = suggestion #, warning or error

#A comma-separated list of CSS classes to ignore.
#Vale ignores all HTML blocks that use these classes
IgnoredClasses = alignedsummary, fn, copy-notice, cpp, qml, footer, navigationbar, tblQmlPropNode

#A comma-separated list of HTML blocks to ignore.
#Vale ignores pre, code, and few more by default.
SkippedScopes = header, footer, script

#A comma-separated list of inline HTML elements to skip
IgnoredScopes = a,code,b

#Style packages from the github.com/errata-ai repo
#vale can sync these packages to ensure they are always
#up-to-date.
Packages = Microsoft

#Vocabulary containing the list of words that you either
#want to accept or reject. For more information about
#this, refer to: https://vale.sh/docs/topics/vocab/
Vocab = Qt, qul

# Global settings (applied to every syntax)
#[*.{cpp,qdoc,qml,qdocinc}]
[*.html]

# List of styles to load
# Vale, Microsoft, and write-good are the only styles you
# could choose from at the moment. You can download and add
# more styles from here:
# https://github.com/errata-ai/packages
#BasedOnStyles = Microsoft, Vale, jQuery, write-good, #Qt

# Enable/disable each rule offered by the style
# Style.Rule = {YES, NO} to enable or disable a specific rule
Vale.Terms = YES
Vale.Avoid = YES
Microsoft.OxfordComma = YES
Microsoft.Passive = YES
Microsoft.Dashes = YES
Microsoft.Spacing = YES
Microsoft.Wordiness = YES
Microsoft.We = YES
Microsoft.OxfordComma = YES
Qt.LoseLoose = YES
Qt.Repetition = YES
Qt.Headings = YES
# Extends the built-in spell checker with additional filters
Qt.Spelling = YES

[veshivas]

BTW, I have a fix here that avoids this issue: v3...veshivas:vale:fix/html-position-mapping

[jdkato]

There seems to be some confusion about how Vale works but, in any case, I'd like to better understand the conditions that lead to the behavior you're seeing.

I can't reproduce it with your example:

What you're seeing is usually an indication that Vale isn't understanding the underlying markup. Can you share an example that demonstrates the bug?

[veshivas]

Here, this is the HTML page where you see "us" in "Status" being highlighted. In fact, if I lint that page locally using the same config, vale reports a warning for the class attribute.

[jdkato]

I still can't reproduce this. Here's what I get:

❯ vale cases/test.html

 cases/test.html
 72:89     warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'Us'.               
 194:105   warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'us'.               
 194:121   warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'us'.               
 1413:97   warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'we'.               
 3569:101  warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'Us'.               
 3584:104  warning  Try to avoid using              Microsoft.We 
                    first-person plural like                     
                    'Our'.                                       

✖ 0 errors, 6 warnings and 0 suggestions in 1 file.

These are all accurately reported. <span class="status technology-preview"></span> only appears once at line 197 (after file formatting).

Here's the file: https://gist.github.com/jdkato/5a5b1a0f23c26259774d0eb2a1152fda

[veshivas]

The URL I shared earlier, includes annotations that are added based on the vale report. Strip them and try again. I'm using vale 3.14.0 from homebrew and this are the warnings I get:

tests/jdkato-test.html
 196:64    warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'us'.               
 756:73    error    Did you really mean 'lvalue'?   Qt.Spelling  
 756:91    error    Did you really mean 'lvalue'?   Qt.Spelling  
 758:73    error    Did you really mean 'rvalue'?   Qt.Spelling  
 758:91    error    Did you really mean 'rvalue'?   Qt.Spelling  
 800:73    error    Did you really mean 'rvalue'?   Qt.Spelling  
 845:73    error    Did you really mean 'rvalue'?   Qt.Spelling  
 937:73    error    Did you really mean             Qt.Spelling  
                    'toplevel'?                                  
 1319:73   error    Did you really mean             Qt.Spelling  
                    'dereferencing'?                             
 1319:98   error    Did you really mean             Qt.Spelling  
                    'dereferencing'?                             
 1412:97   warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'we'.               
 1466:79   warning  Try to avoid using              Microsoft.We 
                    first-person plural like 'us'.               
 1614:73   error    Did you really mean             Qt.Spelling  
                    'dereferencing'?                             
 3682:117  error    Did you really mean 'Oy'?       Qt.Spelling  

The first one is a false positive. BTW, what's your host platform? Here is another URL to the same HTML, but without annotations: https://doc-snapshots.qt.io/qt6-6.11/qrangemodeladapter.html. Here is another URL to a similar looking API reference page, but vale doesn't report a false positive: https://doc-snapshots.qt.io/qt6-6.11/qandroidbinder.html

[jdkato]

This should be fixed in the next release.

[kkoehne]

@jdkato , thanks! 'next release' will be 3.15.0? Or 3.14.1?