All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.l10n.web.rules.Web.AvoidHtmlCommentCheck.html Maven / Gradle / Ivy

There is a newer version: 2.6.0.1053
Show newest version

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:

  • Version numbers and host names
  • Full, server-side path names
  • Sensitive user data

Because every other language has its own native comment format, there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.

Noncompliant Code Example

  <%
      out.write("<!-- ${username} -->");  // Noncompliant
  %>
      <!-- <% out.write(userId) %> -->  // Noncompliant
      <!-- #{userPhone} -->  // Noncompliant
      <!-- ${userAddress} --> // Noncompliant

      <!-- Replace 'world' with name --> // Noncompliant
      <h2>Hello world!</h2>

Compliant Solution

      <%-- Replace 'world' with name --%>  // Compliant
      <h2>Hello world!</h2>

See





© 2015 - 2024 Weber Informatics LLC | Privacy Policy