org.sonar.l10n.web.rules.Web.AvoidHtmlCommentCheck.html Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of sonar-web-plugin Show documentation
Show all versions of sonar-web-plugin Show documentation
Enables scanning of HTML, and JSP/JSF files.
Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of
exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and
has) inadvertently expose:
- Version numbers and host names
- Full, server-side path names
- Sensitive user data
Because every other language has its own native comment format, there is no justification for using HTML-style comments in anything other than a
pure HTML or XML file.
Noncompliant Code Example
<%
out.write("<!-- ${username} -->"); // Noncompliant
%>
<!-- <% out.write(userId) %> --> // Noncompliant
<!-- #{userPhone} --> // Noncompliant
<!-- ${userAddress} --> // Noncompliant
<!-- Replace 'world' with name --> // Noncompliant
<h2>Hello world!</h2>
Compliant Solution
<%-- Replace 'world' with name --%> // Compliant
<h2>Hello world!</h2>
See
- MITRE, CWE-615 - Information Exposure Through Comments
- OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
© 2015 - 2024 Weber Informatics LLC | Privacy Policy