• Home
• org.sonarsource.html
• sonar-html-plugin
• 3.18.0.5605
• source code
• AvoidHtmlCommentCheck.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.web.rules.Web.AvoidHtmlCommentCheck.html Maven / Gradle / Ivy

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of
exposing data that should be kept private. For instance, a developer comment or line of debugging information that’s left in a page could easily (and
has) inadvertently expose:

  
 Version numbers and host names 
  
 Full, server-side path names 
  
 Sensitive user data 

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure
HTML or XML file.
Ask Yourself Whether

  
 The comment contains sensitive information. 
  
 The comment can be removed. 

Recommended Secure Coding Practices
It is recommended to remove the comment or change its style so that it is not output to the client.
Sensitive Code Example
  <%
      out.write("<!-- ${username} -->");  // Sensitive
  %>
      <!-- <% out.write(userId) %> -->  // Sensitive
      <!-- #{userPhone} -->  // Sensitive
      <!-- ${userAddress} --> // Sensitive

      <!-- Replace 'world' with name --> // Sensitive
      <h2>Hello world!</h2>

Compliant Solution
      <%-- Replace 'world' with name --%>  // Compliant
      <h2>Hello world!</h2>

See

  
 OWASP - Top 10 2017 Category A3 - Sensitive Data
  Exposure 
  
 CWE - CWE-615 - Information Exposure Through Comments