[Content Fixer] update-rules-better-javascript — fix 5 issues (outdated JavaScript guidance)

[github-actions]

ContentHawk — Agent 3 (Fixer) Results

Summary

Metric	Count
Issues fixed	5
Issues skipped	0

Intent

Check if the rules are up to date. Consider modern approaches to JavaScript, such as back-end development with Node.js, or developing complex web applications using frameworks such as React and Angular. Flag rules that are outdated or missing modern context.

Label

update-rules-better-javascript

Snapshot

.github/ContentHawk/TODO/2026-04-24_Snapshot_update-rules-better-javascript.md

Issues resolved

Closes #12566
Closes #12567
Closes #12568
Closes #12569
Closes #12570

Changes made

• 🦅 ContentHawk - Content Audit: Outdated guidance: add progressive enhancement advice #12566 — do-you-avoid-relying-on-javascript-for-crucial-actions: Added sections on progressive enhancement, modern SSR/SSG architecture (Next.js, Remix, Nuxt, Astro), ARIA roles and focus management for accessibility, and testing strategies for no-JS scenarios. Removed outdated Flash/Java references.

• 🦅 ContentHawk - Content Audit: Update semicolon rule to reflect modern tooling #12567 — do-you-always-use-semicolons-on-your-js-file: Expanded with concrete ASI pitfall examples (return statement and leading [/( edge cases), added guidance on enforcing consistency via ESLint and Prettier with sample config snippets.

• 🦅 ContentHawk - Content Audit: Modernize jQuery styling guidance #12568 — do-you-avoid-making-changes-to-individual-css-styles-using-jquery: Added proper code block examples for bad/good jQuery usage, a new section on modern approaches including vanilla JS classList, CSS variables, and state-driven styling in React/Vue/Angular, plus guidance on when inline style manipulation is acceptable.

• 🦅 ContentHawk - Content Audit: Expand comments guidance for modern JavaScript practices #12569 — do-you-comment-your-javascript-code: Rewrote to focus on self-documenting code, added JSDoc examples for public APIs, explained how TypeScript types reduce JSDoc boilerplate, fixed the document.write inline code example into a proper code block, and added tooling recommendations (ESLint jsdoc plugin, TypeDoc, JSDoc).

• 🦅 ContentHawk - Content Audit: Add security and CSP notes for eval guidance #12570 — do-you-know-not-to-use-the-eval-function: Added XSS security risk explanation, CSP ('unsafe-eval') discussion, OWASP reference link, and a lookup-table pattern as a modern safe alternative. Reformatted the original bad/good examples into proper code blocks.

---

contenthawk-fixer-run-id: 24869151762

Generated by Content Fixer (Agent 3a) · ● 807.8K · ◷

[desiorac]

new Function() in the safe alternatives list is misleading. It's also blocked by CSP 'unsafe-eval', so it doesn't belong alongside JSON.parse() and DOMParser. In environments with a strict CSP (which is the point of the rule), both eval() and new Function() are blocked identically. Listing new Function() as an alternative creates a false sense of safety for the main case you want to protect against.

Also worth flagging: Trusted Types aren't mentioned. They're the modern defense for DOM XSS involving dynamic code execution - if the rule covers innerHTML and eval, Trusted Types should be part of the solution space, especially for newer frameworks where it's enforceable via CSP require-trusted-types-for.