Jinja check: Missing doctype

HTML documents must include a DOCTYPE declaration at the beginning of the document. This prevents the browser from switching into "quirks mode". Quirks mode can also impact the security of the web page.

Description

Web pages missing a DOCTYPE declaration may be vulnerable to many different esoteric forms of XSS attacks, such as Javascript execution via the <title> tag or via a VML frame.

This check will detect the following case.

<html>
  <body>
    ...
  </body>
</html>

The check will consider the following cases acceptable.

<!DOCTYPE html>
<html>
  <body>
    ...
  </body>
</html>
{% extends "header.html" %}
<div>
  ...
</div>
{% extends "footer.html" %}

This check only looks for a missing DOCTYPE in HTML documents that include the <html> tag to avoid issues with templating inheritance.

References