Skip to main content

Rules Example

Rule: target="_blank" Security Issue#

When target="_blank" is used, the opened page can access the original window object and potentially redirect the original page to a malicious URL. In this example, the rule will look for patterns of "_blank" and suggest to use rel="noopener" to prevent the opened page from having access.

rules:  - id:    pattern:      - token: 'target="_blank"'      - token: 'target: "_blank"'    message: |      Specify rel="noopener" for security reasons.
      Opening new tab without rel="noopener" may cause a security issue.      It allows modifying original tab URLs from opened tabs.    justification:      - When opening a URL in our service    glob:      - "**/*.html"      - "**/*.html.erb"    fail:      - '<a href="" target="_blank">GitHub</a>'    pass:      - '<a href="/signup">Signup</a>'

Rule: Sign in#


This rule needs customization.

Keep wording consistent to provide a clear experience for users. In this example, the use of Log in or Log out would prompt the use of "sign in" / "sign out" instead.

rules:  - id: wording.signin    pattern:      - token: Log in        case_sensitive: false      - token: Log out        case_sensitive: false    glob:      - "**/*.html.erb"      - "**/*.yml"    message: |      Please use “sign in”/“sign out”
      We use “sign in” instead of “log in” and “sign out” instead of “log out”.      See the wording policy for details.    fail:      - "Log in"      - "Log out"    pass:      - "Sign in"      - "Sign out"

Rule: Sass mixin#


This rule needs customization.

A Sass mixin lets you make groups of CSS declarations that you want to reuse throughout your site. In this example, it creates a warning when the color pattern is used and suggests using a mixin instead.

rules:  - id: use-mixin    message: Use mixin.    pattern: "color: #038cf4;"    pass:      - "@include some-mixin;"    fail:      - "color: #038cf4;"

Rule: Disallow offensive words#


This rule needs customization.

The use of offensive words can cause you to lose the trust of your customer. The following rules check the use of them.

rules:  - id: disallow-whitelist    message: Use "allowlist", not "whitelist".    pattern:      literal: whitelist      case_sensitive: false    pass: [allowlist, Allowlist]    fail: [whitelist, Whitelist]
  - id: disallow-blacklist    message: Use "blocklist", not "blacklist".    pattern:      literal: blacklist      case_sensitive: false    pass: [blocklist, Blocklist]    fail: [blacklist, Blacklist]