From b63b79d1d872474e89aa77dab79edf893a5a32e4 Mon Sep 17 00:00:00 2001
From: NullVoxPopuli <199018+NullVoxPopuli@users.noreply.github.com>
Date: Tue, 10 Mar 2026 18:28:43 -0400
Subject: [PATCH 1/2] Extract rule: template-no-forbidden-elements

---
 README.md                                     |   1 +
 docs/rules/template-no-forbidden-elements.md  |  57 +++++++++
 lib/rules/template-no-forbidden-elements.js   |  65 ++++++++++
 .../rules/template-no-forbidden-elements.js   | 115 ++++++++++++++++++
 4 files changed, 238 insertions(+)
 create mode 100644 docs/rules/template-no-forbidden-elements.md
 create mode 100644 lib/rules/template-no-forbidden-elements.js
 create mode 100644 tests/lib/rules/template-no-forbidden-elements.js

diff --git a/README.md b/README.md
index c2924ba272..fe57ea27d1 100644
--- a/README.md
+++ b/README.md
@@ -215,6 +215,7 @@ rules in templates can be disabled with eslint directives with mustache or html
 | [template-no-debugger](docs/rules/template-no-debugger.md)                                                   | disallow {{debugger}} in templates                                           |    |    |    |
 | [template-no-dynamic-subexpression-invocations](docs/rules/template-no-dynamic-subexpression-invocations.md) | disallow dynamic subexpression invocations                                   |    |    |    |
 | [template-no-element-event-actions](docs/rules/template-no-element-event-actions.md)                         | disallow element event actions (use {{on}} modifier instead)                 |    |    |    |
+| [template-no-forbidden-elements](docs/rules/template-no-forbidden-elements.md)                               | disallow specific HTML elements                                              |    |    |    |
 | [template-no-html-comments](docs/rules/template-no-html-comments.md)                                         | disallow HTML comments in templates                                          |    | 🔧 |    |
 | [template-no-implicit-this](docs/rules/template-no-implicit-this.md)                                         | require explicit `this` in property access                                   |    |    |    |
 | [template-no-index-component-invocation](docs/rules/template-no-index-component-invocation.md)               | disallow index component invocations                                         |    |    |    |
diff --git a/docs/rules/template-no-forbidden-elements.md b/docs/rules/template-no-forbidden-elements.md
new file mode 100644
index 0000000000..5fd00a24e8
--- /dev/null
+++ b/docs/rules/template-no-forbidden-elements.md
@@ -0,0 +1,57 @@
+# ember/template-no-forbidden-elements
+
+<!-- end auto-generated rule header -->
+
+This rule disallows the use of forbidden elements in template files.
+
+The rule is configurable so teams can add their own disallowed elements.
+The default list of forbidden elements are `meta`, `style`, `html`, and `script`.
+
+## Examples
+
+This rule **forbids** the following:
+
+```gjs
+<template><script></script></template>
+```
+
+```gjs
+<template><style></style></template>
+```
+
+```gjs
+<template><html></html></template>
+```
+
+```gjs
+<template><meta charset='utf-8' /></template>
+```
+
+This rule **allows** the following:
+
+```gjs
+<template><header></header></template>
+```
+
+```gjs
+<template><div></div></template>
+```
+
+```gjs
+<template>
+  <head>
+    <meta charset='utf-8' />
+  </head>
+</template>
+```
+
+Note: `<meta>` inside `<head>` is allowed as an exception.
+
+## Configuration
+
+- `boolean` — `true` to enable with defaults / `false` to disable
+- `string[]` — an array of element names to forbid (default: `['meta', 'style', 'html', 'script']`)
+
+## References
+
+- [Ember guides/template restrictions](https://guides.emberjs.com/release/components/#toc_restrictions)
diff --git a/lib/rules/template-no-forbidden-elements.js b/lib/rules/template-no-forbidden-elements.js
new file mode 100644
index 0000000000..3857f57f17
--- /dev/null
+++ b/lib/rules/template-no-forbidden-elements.js
@@ -0,0 +1,65 @@
+const DEFAULT_FORBIDDEN = ['meta', 'style', 'html', 'script'];
+
+/** @type {import('eslint').Rule.RuleModule} */
+module.exports = {
+  meta: {
+    type: 'suggestion',
+    docs: {
+      description: 'disallow specific HTML elements',
+      category: 'Best Practices',
+      recommendedGjs: false,
+      recommendedGts: false,
+      url: 'https://github.com/ember-cli/eslint-plugin-ember/tree/master/docs/rules/template-no-forbidden-elements.md',
+      templateMode: 'both',
+    },
+    schema: [
+      {
+        oneOf: [{ type: 'array', items: { type: 'string' } }, { type: 'boolean' }],
+      },
+    ],
+    messages: { forbidden: 'Use of forbidden element <{{element}}>' },
+    originallyFrom: {
+      name: 'ember-template-lint',
+      rule: 'lib/rules/no-forbidden-elements.js',
+      docs: 'docs/rule/no-forbidden-elements.md',
+      tests: 'test/unit/rules/no-forbidden-elements-test.js',
+    },
+  },
+  create(context) {
+    const rawConfig = context.options[0];
+    let forbiddenList;
+
+    if (rawConfig === true || rawConfig === undefined) {
+      forbiddenList = DEFAULT_FORBIDDEN;
+    } else if (Array.isArray(rawConfig)) {
+      forbiddenList = rawConfig;
+    } else {
+      forbiddenList = [];
+    }
+
+    const forbidden = new Set(forbiddenList);
+
+    // Track element stack for <meta> in <head> exception
+    const elementStack = [];
+
+    return {
+      GlimmerElementNode(node) {
+        elementStack.push(node.tag);
+
+        if (!forbidden.has(node.tag)) {
+          return;
+        }
+
+        // Exception: <meta> inside <head> is allowed
+        if (node.tag === 'meta' && elementStack.includes('head')) {
+          return;
+        }
+
+        context.report({ node, messageId: 'forbidden', data: { element: node.tag } });
+      },
+      'GlimmerElementNode:exit'() {
+        elementStack.pop();
+      },
+    };
+  },
+};
diff --git a/tests/lib/rules/template-no-forbidden-elements.js b/tests/lib/rules/template-no-forbidden-elements.js
new file mode 100644
index 0000000000..3127415030
--- /dev/null
+++ b/tests/lib/rules/template-no-forbidden-elements.js
@@ -0,0 +1,115 @@
+const rule = require('../../../lib/rules/template-no-forbidden-elements');
+const RuleTester = require('eslint').RuleTester;
+
+const ruleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser'),
+  parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
+});
+ruleTester.run('template-no-forbidden-elements', rule, {
+  valid: [
+    { code: '<template><div></div></template>', options: [['script']] },
+    '<template><header></header></template>',
+    '<template><footer></footer></template>',
+    '<template><p></p></template>',
+    '<template><head><meta charset="utf-8"></head></template>',
+  ],
+  invalid: [
+    {
+      code: '<template><script></script></template>',
+      output: null,
+      options: [['script']],
+      errors: [{ messageId: 'forbidden' }],
+    },
+
+    {
+      code: '<template><html></html></template>',
+      output: null,
+      errors: [{ messageId: 'forbidden' }],
+    },
+    {
+      code: '<template><style></style></template>',
+      output: null,
+      errors: [{ messageId: 'forbidden' }],
+    },
+    {
+      code: '<template><meta charset="utf-8"></template>',
+      output: null,
+      errors: [{ messageId: 'forbidden' }],
+    },
+    {
+      code: '<template><head><html></html></head></template>',
+      output: null,
+      errors: [{ messageId: 'forbidden' }],
+    },
+    {
+      code: '<template><Foo /></template>',
+      output: null,
+      options: [['Foo']],
+      errors: [{ messageId: 'forbidden' }],
+    },
+  ],
+});
+
+const hbsRuleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser/hbs'),
+  parserOptions: {
+    ecmaVersion: 2022,
+    sourceType: 'module',
+  },
+});
+
+hbsRuleTester.run('template-no-forbidden-elements', rule, {
+  valid: [
+    '<header></header>',
+    '<div></div>',
+    '<footer></footer>',
+    '<p></p>',
+    '<head><meta charset="utf-8"></head>',
+    // Custom forbidden list (script not included).
+    {
+      code: '<script></script>',
+      options: [['html', 'meta', 'style']],
+    },
+  ],
+  invalid: [
+    // Default config.
+    {
+      code: '<script></script>',
+      output: null,
+      errors: [{ message: 'Use of forbidden element <script>' }],
+    },
+    {
+      code: '<html></html>',
+      output: null,
+      errors: [{ message: 'Use of forbidden element <html>' }],
+    },
+    {
+      code: '<style></style>',
+      output: null,
+      errors: [{ message: 'Use of forbidden element <style>' }],
+    },
+    {
+      code: '<meta charset="utf-8">',
+      output: null,
+      errors: [{ message: 'Use of forbidden element <meta>' }],
+    },
+    {
+      code: '<head><html></html></head>',
+      output: null,
+      errors: [{ message: 'Use of forbidden element <html>' }],
+    },
+    // Custom forbidden list.
+    {
+      code: '<div></div>',
+      output: null,
+      options: [['div']],
+      errors: [{ message: 'Use of forbidden element <div>' }],
+    },
+    {
+      code: '<Foo />',
+      output: null,
+      options: [['Foo']],
+      errors: [{ message: 'Use of forbidden element <Foo>' }],
+    },
+  ],
+});

From 8d9f8d344b4eb20f9080b9fc3b0efd7d17b6ae57 Mon Sep 17 00:00:00 2001
From: NullVoxPopuli <199018+NullVoxPopuli@users.noreply.github.com>
Date: Fri, 13 Mar 2026 14:20:24 -0400
Subject: [PATCH 2/2] Apply PR Feedback

---
 lib/rules/template-no-forbidden-elements.js       | 14 +++++++++++++-
 tests/lib/rules/template-no-forbidden-elements.js | 14 ++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/lib/rules/template-no-forbidden-elements.js b/lib/rules/template-no-forbidden-elements.js
index 3857f57f17..c9780a93b1 100644
--- a/lib/rules/template-no-forbidden-elements.js
+++ b/lib/rules/template-no-forbidden-elements.js
@@ -14,7 +14,17 @@ module.exports = {
     },
     schema: [
       {
-        oneOf: [{ type: 'array', items: { type: 'string' } }, { type: 'boolean' }],
+        oneOf: [
+          { type: 'array', items: { type: 'string' } },
+          { type: 'boolean' },
+          {
+            type: 'object',
+            properties: {
+              forbidden: { type: 'array', items: { type: 'string' } },
+            },
+            additionalProperties: false,
+          },
+        ],
       },
     ],
     messages: { forbidden: 'Use of forbidden element <{{element}}>' },
@@ -33,6 +43,8 @@ module.exports = {
       forbiddenList = DEFAULT_FORBIDDEN;
     } else if (Array.isArray(rawConfig)) {
       forbiddenList = rawConfig;
+    } else if (rawConfig && typeof rawConfig === 'object') {
+      forbiddenList = rawConfig.forbidden ?? DEFAULT_FORBIDDEN;
     } else {
       forbiddenList = [];
     }
diff --git a/tests/lib/rules/template-no-forbidden-elements.js b/tests/lib/rules/template-no-forbidden-elements.js
index 3127415030..2361ef3ffe 100644
--- a/tests/lib/rules/template-no-forbidden-elements.js
+++ b/tests/lib/rules/template-no-forbidden-elements.js
@@ -8,12 +8,21 @@ const ruleTester = new RuleTester({
 ruleTester.run('template-no-forbidden-elements', rule, {
   valid: [
     { code: '<template><div></div></template>', options: [['script']] },
+    // Object config form
+    { code: '<template><div></div></template>', options: [{ forbidden: ['script'] }] },
+    { code: '<template><script></script></template>', options: [{ forbidden: ['html'] }] },
     '<template><header></header></template>',
     '<template><footer></footer></template>',
     '<template><p></p></template>',
     '<template><head><meta charset="utf-8"></head></template>',
   ],
   invalid: [
+    {
+      code: '<template><script></script></template>',
+      output: null,
+      options: [{ forbidden: ['script'] }],
+      errors: [{ messageId: 'forbidden' }],
+    },
     {
       code: '<template><script></script></template>',
       output: null,
@@ -70,6 +79,11 @@ hbsRuleTester.run('template-no-forbidden-elements', rule, {
       code: '<script></script>',
       options: [['html', 'meta', 'style']],
     },
+    // Object config form.
+    {
+      code: '<script></script>',
+      options: [{ forbidden: ['html', 'meta', 'style'] }],
+    },
   ],
   invalid: [
     // Default config.