• Home
• net.sourceforge.pmd
• pmd-jsp
• 7.7.0
• source code
• security.xml

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

category.jsp.security.xml Maven / Gradle / Ivy

<?xml version="1.0" encoding="UTF-8"?>

<ruleset name="Security"
         xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">

    <description>
Rules that flag potential security flaws.
    </description>

    <rule name="IframeMissingSrcAttribute"
          language="jsp"
          since="3.6"
          message="IFrames must have a src attribute."
          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_jsp_security.html#iframemissingsrcattribute">
        <description>
IFrames which are missing a src element can cause security information popups in IE if you are accessing the page
through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188
        </description>
        <priority>2</priority>
        <properties>
            <property name="xpath">
                <value>
<![CDATA[
//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0]
]]>
                </value>
            </property>
        </properties>
        <example>
<![CDATA[
<HTML><title>bad example><BODY>
<iframe></iframe>
</BODY> </HTML>

<HTML><title>good example><BODY>
<iframe src="foo"></iframe>
</BODY> </HTML>
]]>
        </example>
    </rule>

    <rule name="NoUnsanitizedJSPExpression"
          language="jsp"
          since="5.1.4"
          class="net.sourceforge.pmd.lang.jsp.rule.security.NoUnsanitizedJSPExpressionRule"
          message="Using unsanitized JSP expression can lead to Cross Site Scripting (XSS) attacks"
          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_jsp_security.html#nounsanitizedjspexpression">
        <description>
Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression
would be interpreted by the browser directly (e.g. "&lt;script&gt;alert('hello');&lt;/script&gt;").
        </description>
        <priority>3</priority>
        <example>
<![CDATA[
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
${expression}                    <!-- don't use this -->
${fn:escapeXml(expression)}      <!-- instead, escape it -->
<c:out value="${expression}" />  <!-- or use c:out -->
]]>
        </example>
    </rule>

</ruleset>