• Home
• org.codehaus.sonar-plugins
• sonar-web-plugin
• 2.3
• source code
• AvoidHtmlCommentCheck.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.web.rules.Web.AvoidHtmlCommentCheck.html Maven / Gradle / Ivy

  Using HTML-style comments in a page that will be generated or interpolated server-side before being served
  to the user increases the risk of exposing data that should be kept private.
  For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:


  
Version numbers and host names
  
Full, server-side path names
  
Sensitive user data


  Because every other language has its own native comment format, there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.


Noncompliant Code Example
  <%
      out.write("<!-- ${username} -->");  // Noncompliant
  %>
  <!-- <% out.write(userId) %> -->  // Noncompliant
  <!-- #{userPhone} -->  // Noncompliant
  <!-- ${userAddress} --> // Noncompliant

  <!-- Replace 'world' with name --> // Noncompliant
  <h2>Hello world!</h2>


Compliant Solution
  <%-- Replace 'world' with name %>  // Compliant
  <h2>Hello world!</h2>


See

  
MITRE, CWE-615 - Information Exposure Through Comments