toniedzwiedz
commented
1 year ago Hi @anrayt, l believe HTL-7 was intended as a check for literals, i.e. verbatim JavaScript and CSS code being output. The VIOLATION_MESSAGE seems to confirm that.
Looking at the implementation https://github.com/wttech/AEM-Rules-for-SonarQube/blob/master/src/main/java/com/cognifide/aemrules/htl/checks/ScriptsAndStyleMandatoryDisplayContextCheck.java#L69, the rule applies to all expressions within a <script> tag, even when it's inside an src attribute.
In your situation, I'd keep the code as-is, with the implicit, default display context on the src attribute, and mark the violation of HTL-7 as a false positive/won't fix.
The rule could use an improvement.
anrayt
Hey, folks! I'd wish to discuss some rules related to HTL which is not clear to me " HTL-6 HTL automatically recognises the context for HTML output
HTL uses uri display context as default for src, poster, manifest, href, formaction, data, cite, action attributes HTL-7 Style and script tags display context definition is mandatory " Let me share an example:
<script type="text/javascript" src="${'{0}/some-js-file.js' @ format = [inheritedPageProperties.someProperty]}"></script>There is a major issue with the rule HTL-7 - no context is provided with a script tag. Okay, I'll fix it by addingcontext='uri'because it's actually an uri. But, after that, one more issue will be here: HTL-6 - HTL uses uri display context as default for src . To fix that, I changed the context to -context='attribute'. It also looks ok to me, but maybe you could clarify a little bit about how it's expected to be used correctly. Thanks in advance, Anton