Closed 43081j closed 1 year ago
Wondering if this would be a better fit in the WC plugin instead of lit?
Also wondering if array of strings (attributes) will be too limiting long term? Will we need to add disallowed attributes based on their values or per element/component? Just food for thought
i think we desperately need to update this plugin to depend on the wc plugin, then it'd make sense to put this rule there.
unfortunately, until then i suspect people don't realise that plugin exists a lot of the time but do know this exists.
ill have a go at adding that dependency in separately before we decide on this rule
ah! @stramel it does belong in here after all i think. because this is specific to attributes used within templates.
if we did it in the wc plugin, it'd only be capable of detecting them in shadow root innerHTML
and not much else.
Personally I believe the entry text at docs/rules/ban-attributes.md could mention that a common use case is to disable the style
attribute due to CSP directives best-practices. But maybe you do not want to be that explicit in docs?
it could be a nice example to add to the intro at the top of those docs i think, just a brief one like:
For example, you may want to disallow attributes such as
style
to comply with content security policy best practices.
Fixes #123