{"id":25139,"library":"csp-html-linter","title":"csp-html-linter","description":"A tool to lint HTML files for potential Content Security Policy (CSP) violations, targeting inline styles, inline JavaScript, style tags without nonce, and script tags without nonce. Current stable version is 1.0.13. It is designed to be used as a build step to catch violations early. Differentiators: simple CLI and programmatic API, zero dependencies, returns violations as array or detailed objects with location info. Offers a narrow but focused set of checks, suitable for integration into CI pipelines.","status":"active","version":"1.0.13","language":"javascript","source_language":"en","source_url":"https://github.com/mdownes/csp-html-linter","tags":["javascript","lint","csp-html-linter","content security policy html linting","typescript"],"install":[{"cmd":"npm install csp-html-linter","lang":"bash","label":"npm"},{"cmd":"yarn add csp-html-linter","lang":"bash","label":"yarn"},{"cmd":"pnpm add csp-html-linter","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Package exposes a CommonJS module. ES module imports are not supported; only require() works. TypeScript types are shipped but usage requires @types/node or similar.","wrong":"import cspHtmlLinter from 'csp-html-linter';","symbol":"cspHtmlLinter","correct":"const cspHtmlLinter = require('csp-html-linter');"},{"note":"The main export is an object with a parse method. No default export. Always use require() and call parse directly on the required object.","wrong":"cspHtmlLinter.default.parse(code, options);","symbol":"parse","correct":"cspHtmlLinter.parse(code, options);"},{"note":"The CLI requires the --include argument as a glob string. It does not accept file paths directly. Use --include with quotes around the glob.","wrong":"npx csp-html-linter src/**/*.html","symbol":"csp-html-linter CLI","correct":"csp-html-linter --include \"src/**/*.html\" --verbose"}],"quickstart":{"code":"// Install: npm install csp-html-linter --save-dev\n\nconst cspHtmlLinter = require('csp-html-linter');\n\nconst htmlCode = `\n<div style=\"color:red;\">Text</div>\n<script>alert('xss')</script>\n<a href=\"javascript:void(0)\">click</a>\n`;\n\nconst violations = cspHtmlLinter.parse(htmlCode, { includeLocationInfo: true });\nconsole.log('Violations:', violations);\n// Example output:\n// Violations: [\n//   { message: 'Inline styles are not allowed', location: { startLine: 2, startCol: 5, ... } },\n//   { message: 'Script tags without nonce are not allowed', location: { startLine: 3, startCol: 1, ... } },\n//   { message: 'Inline JavaScript is not allowed', location: { startLine: 4, startCol: 9, ... } }\n// ]","lang":"javascript","description":"Shows programmatic usage with parse() and options, including location info."},"warnings":[{"fix":"Use const cspHtmlLinter = require('csp-html-linter'); or use dynamic import() if your environment supports it.","message":"ESM imports are not supported; only CommonJS require() works. Using import will result in a runtime error.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always use --include with a glob, e.g., --include \"src/**/*.html\".","message":"CLI requires --include argument with a glob string; passing a file path directly does nothing.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Check the options.includeLocationInfo value or use a type guard to handle both cases.","message":"The parse() method returns an array of strings by default, but when includeLocationInfo is true, it returns an array of objects with message and location. Mixing these return types can break downstream code expecting strings.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always explicitly set all options you care about to avoid false positives.","message":"All options default to false; if you intend to allow something, you must explicitly set it to true. This can lead to unexpected violations if options are omitted.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Change import to require: const cspHtmlLinter = require('csp-html-linter');","cause":"Using default import with ESM syntax instead of require().","error":"TypeError: cspHtmlLinter.parse is not a function"},{"fix":"Use --include with double quotes around the glob, e.g., --include \"src/**/*.html\"","cause":"CLI --include argument is missing or not properly quoted.","error":"Mismatched quotes or missing glob pattern"},{"fix":"When includeLocationInfo is false, each violation is a string, not an object. Check your options or handle both types.","cause":"Assuming includeLocationInfo returns object with message property without checking if location info is enabled.","error":"TypeError: Cannot read property 'message' of undefined"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}