Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
html-inspector
Advanced tools
HTML Inspector is a code quality tool to help you and your team write better markup. It's written in JavaScript and runs in the browser, so testing your HTML has never been easier.
HTML Inspector is a highly-customizable, code quality tool to help you (and your team) write better markup. It aims to find a balance between the uncompromisingly strict W3C validator and having absolutely no rules at all (the unfortunate reality for most of us).
HTML Inspector is opinionated, but every rule is completely customizable, so you can take what you like and change what you don't. It's also easy to extend, allowing teams to write their own rules to enforce their chosen conventions.
For a more formal introduction, please refer to this blog post which goes into more detail as to why HTML Inspector was created and why you should consider using it.
The easiest way to try out HTML Inspector is to link to the source file hosted on CDNJS:
<script src="http://cdnjs.cloudflare.com/ajax/libs/html-inspector/0.7.3/html-inspector.js"></script>
It can also be install via NPM or Bower:
# NPM (for command line usage)
npm install -g html-inspector
# Inspect a file from the command line
# Note: the CLI requires phantomjs to be installed
# http://phantomjs.org/download.html
htmlinspector path/to/file.html
# View the CLI options
htmlinspector --help
# Bower (for browser usage)
bower install html-inspector
If you clone the Github repo, just use the file named html-inspector.js
in the project root.
Once HTML Inspector is added, you can run HTMLInspector.inspect()
to see the results. Calling inspect
with no options will load all rules and run them with their default configuration options.
<script src="path/to/html-inspector.js"></script>
<script> HTMLInspector.inspect() </script>
After the script runs, any errors will be reported to the console (unless you change this behavior). Here's an example of what you might see:
Make sure you call inspect
after any other DOM altering scripts have finished running or those alterations won't get inspected.
By default, HTML Inspector runs all added rules, starts traversing from the <html>
element, and logs errors to the console when complete, but all of this can be customized.
The inspect
method takes a config object to allow you to change any of this behavior. Here are the config options:
excludeRules
useRules
and excludeRules
are both set, the excluded rules are removed from the list of rules to use.Here are the default configuration values:
config: {
domRoot: "html",
useRules: null,
excludeRules: null,
excludeElements: "svg",
excludeSubTrees: ["svg", "iframe"],
onComplete: function(errors) {
errors.forEach(function(error) {
console.warn(error.message, error.context)
})
}
}
Here is how you might override the default configurations:
HTMLInspector.inspect({
domRoot: "body",
excludeRules: ["some-rule-name", "some-other-rule-name"],
excludeElements: ["svg", "iframe"],
onComplete: function(errors) {
errors.forEach(function(error) {
// report errors to external service...
}
}
})
For convenience, some of the config options may be passed as single arguments. If .inspect()
receives an argument that is an array it is assume to be the useRules
option, if it's an string or DOM element it's assumed to be the domRoot
option, and if its a function it's assumed to be the onComplete
callback.
// only set the useRules options
HTMLInspector.inspect(["some-rule-name", "some-other-rule-name"])
// only set the domRoot
HTMLInspector.inspect("#content")
// only set the onComplete callback
HTMLInspector.inspect(function(errors) {
errors.forEach(function(error) {
// report errors to an external service...
}
})
HTML Inspector ships with a set of built-in rules which fall into one of three main categories: validation, best-practices, and convention.
Each rule is registered via a unique string identifier that can be used to include or exclude it at inspection time.
Here is the full list of built in rules by their identifiers:
# validation rules
validate-elements
validate-element-location
validate-attributes
duplicate-ids
unique-elements
# best-practices
inline-event-handlers
script-placement
unused-classes
unnecessary-elements
# convention
bem-conventions
The following is a more in-depth explanation of each rule:
HTML Inspector is different than a markup validator. Validators parse static markup, while HTML Inspector runs on a live DOM. This makes it a lot more powerful, but there are some drawbacks as well. Because HTML Inspector runs after the browser has parsed your HTML, any mistakes the browser has forgiven will not be seen by HTML Inspector.
As a result HTML Inspector should not be seen as a replacement for validation. It's simply another tool in the toolbox. That being said, there is still a lot that it can do (and does) to validate your markup.
Here are the validation rules that ship with HTML Inspector. (Expect this list to get more comprehensive in the future.)
Validate Elements: Inspect each element in the DOM and reports any elements that are invalid or obsolete. This will catch simple things like misspelled tags (<il>
instead of <li>
), and it will inform you of deprecated tags (like <center>
, <font>
, and more recently <hgroup>
). Any element you don't want to be warned about can be whitelisted.
Validate Element Location: Make sure that elements don't appear as children of parents they're not allowed to descend from. An example of this is a block element like <div>
appearing as the child of an inline elements like <span>
.
Validate Attributes: Like validating elements, this rule will let you know if you're using attributes that don't belong on a particular element or perhaps don't belong on any element. If your project uses custom attributes (like ng-*
in AngularJS) they can be whitelisted.
Duplicate IDs: Warn if non-unique IDs are found on the same page.
Unique Elements: Warn if elements that should be unique (like <title>
and <main>
) appear more than once in the document.
Some markup may be perfectly valid but use practices that are commonly considered to be poor or outdated. The following rules check for these types of things. (Note that everything in this list is subjective and optional.)
Inline Event Handlers: Warn if inline event handlers, like onclick="return false"
are found in the document. Inline event handlers are hard to manage, hard to debug, and completely non-reusable.
Script Placement: Warn if script elements appear anywhere other than right before the closing </body>
tag. Because JavaScript is blocking, adding <script>
elements anywhere other than the end of the document may delay the loading of the page. If a script must appear somewhere other than the end of the document, it can be whitelisted.
Unused Classes: Sometimes you'll remove a CSS rule from your stylesheet but forget to remove the class from the HTML. The "unused-classes" rule compares all the class selectors in the CSS to the classes in the HTML and reports any that aren't being used.
Classes that are in the HTML as JavaScript hooks can be ignored via a whitelist. By default, any class prefixed with js-
, language-
, or supports-
is whitelisted. More information on the rationale behind this rule can be found here.
Unnecessary Elements: Anytime you have a plain <div>
or <span>
element in the HTML with no class, ID or any other attribute, it's probably unnecessary or a mark of poor design.
Elements with no semantic meaning should only be used for presentation. If the element has no attributes but is used for styling, it must be done through a rule like .some-class > div { }
which is just asking for trouble. Again, more information can be found here.
The real power of HTML Inspector lies in its ability to enforce your team's chosen conventions. If you've decided that all groups of links should be contained in a <nav>
element, or all <section>
elements must contain a heading, you can write those rules, and an error will be thrown when someone breaks them.
Because convention is usually specific to individual teams, there's only one built-in rule in this category, but hopefully it'll get you thinking about rules your team could use.
BEM: The increasingly popular BEM (block, element, modifier) methodology is a CSS naming convention that is very helpful for large projects. The problem is that using it correctly in the CSS is only half the battle. If it's not used correctly in the HTML it doesn't work either.
This rule throws an error when an element class name is used but that element isn't a descendant of a block by the same name. It also errors when a modifier is used on a block or element without the unmodified class there too.
(Note: there are a few different BEM naming conventions out there. HTML Inspector support the three most common)
Rules are the bread and butter of HTML Inspector. They are where you check for problems and report errors.
Here's how you add new rules:
HTMLInspector.rules.add(name, [config], func)
name
parameter is a string used to identify the rule. It must be unique.config
parameter stores configuration data that is used by the rule. Anything that users of your rule might want to customize themselves should be set in the config
object.func
parameter is an initialization function that is invoked as soon as you call HTMLInspector.inspect()
. The function is passed three arguments listener
, reporter
, and config
. The listener
object is used to subscribe to events that are triggered as HTML Inspector is traversing the DOM. When problems are found, they can be reported to the reporter
object. The config
object is the same config
that was passed to HTMLInspector.rules.add
, though its properties may have been customized by other users between then and now.The listener
object can subscribe to events via the on
method. Like with many other event binding libraries, on
takes two parameters: the event name, and a callback function:
listener.on(event, callback)
Here is a an example of binding a function to the "class" event:
listener.on("class", function(className, domElement) {
if (className == "foo" and element.nodeName.toLowerCase() == "bar") {
// report the error
}
})
Below is a complete list of events along with the arguments that are passed to their respective handlers. For events that occur on a DOM element, that element is passed as the final argument. It is also bound to the this
context.
When you find something in the HTML that you to want warn about, you simply call the warn
method on the reporter
object.
reporter.warn(rule, message, context)
Here's an example from the validate-elements rule:
reporter.warn(
"validate-elements",
"The <" + name + "> element is not a valid HTML element.",
element
)
Imagine your team previously used the custom data attributes data-foo-*
and data-bar-*
, but now the convention is to use something else. Here's a rule that would warn users when they're using the old convention:
HTMLInspector.rules.add(
"deprecated-data-prefixes",
{
deprecated: ["foo", "bar"]
},
function(listener, reporter, config) {
// register a handler for the `attribute` event
listener.on('attribute', function(name, value, element) {
var prefix = /data-([a-z]+)/.test(name) && RegExp.$1
// return if there's no data prefix
if (!prefix) return
// loop through each of the deprecated names from the
// config array and compare them to the prefix.
// Warn if they're the same
config.deprecated.forEach(function(item) {
if (item === prefix) {
reporter.warn(
"deprecated-data-prefixes",
"The 'data-" + item + "' prefix is deprecated.",
element
)
}
})
}
)
})
Individual rules may or may not do exactly what you need, which is why most rules come with a configurations object that users can customize. A rule's configuration can be changed to meet your needs via the extend
method of the HTMLInspector.rules
object.
HTMLInspector.rules.extend(rule, overrides)
overrides
is a function, it will be passed the rule's config object as its first argument.Here are two examples overriding the "deprecated-data-prefixes" rule defined above. The first example passes an object and the second passes a function:
// using an object
HTMLInspector.rules.extend("deprecated-data-prefixes", {
deprecated: ["fizz", "buzz"]
})
// using a function
HTMLInspector.rules.extend("deprecated-data-prefixes", function(config) {
return {
deprecated: config.deprecated.concat(["bazz"])
}
})
Here are a few more examples. The following override the defaults of a few of the built-in rules.
// use the `inuit.css` BEM naming convention
HTMLInspector.rules.extend("bem-conventions", {
methodology: "inuit"
})
// add Twitter generated classes to the whitelist
HTMLInspector.rules.extend("unused-classes", {
whitelist: /^js\-|^tweet\-/
})
HTML Inspector has been tested and known to work in the latest versions of all modern browsers including Chrome, Firefox, Safari, Opera, and Internet Explorer. It will not work in older browsers that do not support ES5 methods, the CSS Object Model, or console.warn()
. Since HTML Inspector is primarily a development tool, it is not intended to work in browsers that aren't typically used for development and don't support modern Web standards.
If you need to test your site in older versions of IE and don't want to see JavaScript errors, simply wrap all your HTML Inspector code inside a conditional comment, so it is ignored by IE9 and below. Here is an example:
<!--[if gt IE 9]><!-->
<script src="path/to/html-inspector.js"></script>
<script>HTMLInspector.inspect()</script>
<!--<![endif]-->
If Grunt and all the dependencies are installed, you can run the tests with the following command.
grunt test
HTML Inspector has two test suites, one that runs in pure Node and one that uses Mocha and PhantomJS because it needs a browser.
If you want to run the browser tests in a real browser (instead of via PhantomJS) simply fire up a local server and load the tests/html-inspector-test.html
file. Make sure to run grunt test
beforehand as it builds the tests.
I'm always open to feedback and suggestions for how to make HTML Inspector better. All feedback from bug reports to API design is quite welcome.
If you're submitting a bug report, please search the issues to make sure there isn't one already filed.
If you're submitting a pull request please read CONTRIBUTING.md before submitting.
The FAQs section has grown rather large, so it has been moved to its own page. You can find the full FAQs here.
FAQs
HTML Inspector is a code quality tool to help you and your team write better markup. It's written in JavaScript and runs in the browser, so testing your HTML has never been easier.
The npm package html-inspector receives a total of 1 weekly downloads. As such, html-inspector popularity was classified as not popular.
We found that html-inspector demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.