phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[doc] Update generated jsp ruleset files

Browse Source
This commit is contained in:
Andreas Dangel
2017-11-03 15:37:24 +01:00
parent 15526591d4
commit ac49d6fb6f
8 changed files with 407 additions and 381 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
docs/pages/pmd/rules/jsp.md
View File

@ -5,22 +5,31 @@ folder: pmd/rules
---
List of rulesets and rules contained in each ruleset.
* [Basic JSF](pmd_rules_jsp_basic-jsf.html): Rules concerning basic JSF guidelines.
* [Basic JSP](pmd_rules_jsp_basic.html): Rules concerning basic JSP guidelines.
* [Best Practices](pmd_rules_jsp_bestpractices.html): Rules which enforce generally accepted best practices.
* [Codestyle](pmd_rules_jsp_codestyle.html): Rules which enforce a specific coding style.
* [Design](pmd_rules_jsp_design.html): Rules that help you discover design issues.
* [Error Prone](pmd_rules_jsp_errorprone.html): Rules to detect constructs that are either broken, extremely confusing or prone to runtime errors.
* [Security](pmd_rules_jsp_security.html): Rules that flag potential security flaws.
## Basic JSF
* [DontNestJsfInJstlIteration](pmd_rules_jsp_basic-jsf.html#dontnestjsfinjstliteration): Do not nest JSF component custom actions inside a custom action that iterates over its body.
## Best Practices
* [DontNestJsfInJstlIteration](pmd_rules_jsp_bestpractices.html#dontnestjsfinjstliteration): Do not nest JSF component custom actions inside a custom action that iterates over its body.
* [NoClassAttribute](pmd_rules_jsp_bestpractices.html#noclassattribute): Do not use an attribute called 'class'. Use "styleclass" for CSS styles.
* [NoHtmlComments](pmd_rules_jsp_bestpractices.html#nohtmlcomments): In a production system, HTML comments increase the payloadbetween the application server to the c...
* [NoJspForward](pmd_rules_jsp_bestpractices.html#nojspforward): Do not do a forward from within a JSP file.
## Basic JSP
* [DuplicateJspImports](pmd_rules_jsp_basic.html#duplicatejspimports): Avoid duplicate import statements inside JSP's.
* [IframeMissingSrcAttribute](pmd_rules_jsp_basic.html#iframemissingsrcattribute): IFrames which are missing a src element can cause security information popups in IE if you are ac...
* [JspEncoding](pmd_rules_jsp_basic.html#jspencoding): A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset.
* [NoClassAttribute](pmd_rules_jsp_basic.html#noclassattribute): Do not use an attribute called 'class'. Use "styleclass" for CSS styles.
* [NoHtmlComments](pmd_rules_jsp_basic.html#nohtmlcomments): In a production system, HTML comments increase the payloadbetween the application server to the c...
* [NoInlineScript](pmd_rules_jsp_basic.html#noinlinescript): Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attri...
* [NoInlineStyleInformation](pmd_rules_jsp_basic.html#noinlinestyleinformation): Style information should be put in CSS files, not in JSPs. Therefore, don't use <B> or <FONT>tags...
* [NoJspForward](pmd_rules_jsp_basic.html#nojspforward): Do not do a forward from within a JSP file.
* [NoLongScripts](pmd_rules_jsp_basic.html#nolongscripts): Scripts should be part of Tag Libraries, rather than part of JSP pages.
* [NoScriptlets](pmd_rules_jsp_basic.html#noscriptlets): Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of J...
* [NoUnsanitizedJSPExpression](pmd_rules_jsp_basic.html#nounsanitizedjspexpression): Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - ...
## Codestyle
* [DuplicateJspImports](pmd_rules_jsp_codestyle.html#duplicatejspimports): Avoid duplicate import statements inside JSP's.
## Design
* [NoInlineScript](pmd_rules_jsp_design.html#noinlinescript): Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attri...
* [NoInlineStyleInformation](pmd_rules_jsp_design.html#noinlinestyleinformation): Style information should be put in CSS files, not in JSPs. Therefore, don't use <B> or <FONT>tags...
* [NoLongScripts](pmd_rules_jsp_design.html#nolongscripts): Scripts should be part of Tag Libraries, rather than part of JSP pages.
* [NoScriptlets](pmd_rules_jsp_design.html#noscriptlets): Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of J...
## Error Prone
* [JspEncoding](pmd_rules_jsp_errorprone.html#jspencoding): A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset.
## Security
* [IframeMissingSrcAttribute](pmd_rules_jsp_security.html#iframemissingsrcattribute): IFrames which are missing a src element can cause security information popups in IE if you are ac...
* [NoUnsanitizedJSPExpression](pmd_rules_jsp_security.html#nounsanitizedjspexpression): Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - ...

40
docs/pages/pmd/rules/jsp/basic-jsf.md
View File

@ -1,40 +0,0 @@
---
title: Basic JSF
summary: Rules concerning basic JSF guidelines.
permalink: pmd_rules_jsp_basic-jsf.html
folder: pmd/rules/jsp
sidebaractiveurl: /pmd_rules_jsp.html
editmepath: ../pmd-jsp/src/main/resources/rulesets/jsp/basic-jsf.xml
keywords: Basic JSF, DontNestJsfInJstlIteration
---
## DontNestJsfInJstlIteration
**Since:** PMD 3.6
**Priority:** Medium (3)
Do not nest JSF component custom actions inside a custom action that iterates over its body.
```
//Element[ @Name="c:forEach" ] // Element[ @NamespacePrefix="h" or @NamespacePrefix="f" ]
```
**Example(s):**
``` jsp
<html>
<body>
<ul>
<c:forEach items='${books}' var='b'>
<li> <h:outputText value='#{b}' /> </li>
</c:forEach>
</ul>
</body>
</html>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/basic-jsf.xml/DontNestJsfInJstlIteration" />
```

325
docs/pages/pmd/rules/jsp/basic.md
View File

File diff suppressed because it is too large Load Diff

119
docs/pages/pmd/rules/jsp/bestpractices.md Normal file
View File

@ -0,0 +1,119 @@
---
title: Best Practices
summary: Rules which enforce generally accepted best practices.
permalink: pmd_rules_jsp_bestpractices.html
folder: pmd/rules/jsp
sidebaractiveurl: /pmd_rules_jsp.html
editmepath: ../pmd-jsp/src/main/resources/category/jsp/bestpractices.xml
keywords: Best Practices, DontNestJsfInJstlIteration, NoClassAttribute, NoHtmlComments, NoJspForward
---
## DontNestJsfInJstlIteration
**Since:** PMD 3.6
**Priority:** Medium (3)
Do not nest JSF component custom actions inside a custom action that iterates over its body.
```
//Element[ @Name="c:forEach" ] // Element[ @NamespacePrefix="h" or @NamespacePrefix="f" ]
```
**Example(s):**
``` jsp
<html>
<body>
<ul>
<c:forEach items='${books}' var='b'>
<li> <h:outputText value='#{b}' /> </li>
</c:forEach>
</ul>
</body>
</html>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/bestpractices.xml/DontNestJsfInJstlIteration" />
```
## NoClassAttribute
**Since:** PMD 3.6
**Priority:** Medium High (2)
Do not use an attribute called 'class'. Use "styleclass" for CSS styles.
```
//Attribute[ upper-case(@Name)="CLASS" ]
```
**Example(s):**
``` jsp
<HTML> <BODY>
<P class="MajorHeading">Some text</P>
</BODY> </HTML>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/bestpractices.xml/NoClassAttribute" />
```
## NoHtmlComments
**Since:** PMD 3.6
**Priority:** Medium High (2)
In a production system, HTML comments increase the payload
between the application server to the client, and serve
little other purpose. Consider switching to JSP comments.
```
//CommentTag
```
**Example(s):**
``` jsp
<HTML><title>bad example><BODY>
<!-- HTML comment -->
</BODY> </HTML>
<HTML><title>good example><BODY>
<%-- JSP comment --%>
</BODY> </HTML>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/bestpractices.xml/NoHtmlComments" />
```
## NoJspForward
**Since:** PMD 3.6
**Priority:** Medium (3)
Do not do a forward from within a JSP file.
```
//Element[ @Name="jsp:forward" ]
```
**Example(s):**
``` jsp
<jsp:forward page='UnderConstruction.jsp'/>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/bestpractices.xml/NoJspForward" />
```

30
docs/pages/pmd/rules/jsp/codestyle.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Codestyle
summary: Rules which enforce a specific coding style.
permalink: pmd_rules_jsp_codestyle.html
folder: pmd/rules/jsp
sidebaractiveurl: /pmd_rules_jsp.html
editmepath: ../pmd-jsp/src/main/resources/category/jsp/codestyle.xml
keywords: Codestyle, DuplicateJspImports
---
## DuplicateJspImports
**Since:** PMD 3.7
**Priority:** Medium (3)
Avoid duplicate import statements inside JSP's.
**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.codestyle.DuplicateJspImportsRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/codestyle/DuplicateJspImportsRule.java)
**Example(s):**
``` jsp
<%@ page import=\"com.foo.MyClass,com.foo.MyClass\"%><html><body><b><img src=\"<%=Some.get()%>/foo\">xx</img>text</b></body></html>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/codestyle.xml/DuplicateJspImports" />
```

126
docs/pages/pmd/rules/jsp/design.md Normal file
View File

@ -0,0 +1,126 @@
---
title: Design
summary: Rules that help you discover design issues.
permalink: pmd_rules_jsp_design.html
folder: pmd/rules/jsp
sidebaractiveurl: /pmd_rules_jsp.html
editmepath: ../pmd-jsp/src/main/resources/category/jsp/design.xml
keywords: Design, NoInlineScript, NoInlineStyleInformation, NoLongScripts, NoScriptlets
---
## NoInlineScript
**Since:** PMD 4.0
**Priority:** Medium (3)
Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attribute on the "script" element.
Externalized script could be reused between pages. Browsers can also cache the script, reducing overall download bandwidth.
```
//HtmlScript[@Image != '']
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/design.xml/NoInlineScript" />
```
## NoInlineStyleInformation
**Since:** PMD 3.6
**Priority:** Medium (3)
Style information should be put in CSS files, not in JSPs. Therefore, don't use <B> or <FONT>
tags, or attributes like "align='center'".
**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.design.NoInlineStyleInformationRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/design/NoInlineStyleInformationRule.java)
**Example(s):**
``` jsp
<html><body><p align='center'><b>text</b></p></body></html>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/design.xml/NoInlineStyleInformation" />
```
## NoLongScripts
**Since:** PMD 3.6
**Priority:** Medium High (2)
Scripts should be part of Tag Libraries, rather than part of JSP pages.
```
//HtmlScript[(@EndLine - @BeginLine > 10)]
```
**Example(s):**
``` jsp
<HTML>
<BODY>
<!--Java Script-->
<SCRIPT language="JavaScript" type="text/javascript">
<!--
function calcDays(){
var date1 = document.getElementById('d1').lastChild.data;
var date2 = document.getElementById('d2').lastChild.data;
date1 = date1.split("-");
date2 = date2.split("-");
var sDate = new Date(date1[0]+"/"+date1[1]+"/"+date1[2]);
var eDate = new Date(date2[0]+"/"+date2[1]+"/"+date2[2]);
var daysApart = Math.abs(Math.round((sDate-eDate)/86400000));
document.getElementById('diffDays').lastChild.data = daysApart;
}
onload=calcDays;
//-->
</SCRIPT>
</BODY>
</HTML>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/design.xml/NoLongScripts" />
```
## NoScriptlets
**Since:** PMD 3.6
**Priority:** Medium (3)
Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of JSP pages.
```
//JspScriptlet
|
//Element[ upper-case(@Name)="JSP:SCRIPTLET" ]
```
**Example(s):**
``` jsp
<HTML>
<HEAD>
<%
response.setHeader("Pragma", "No-cache");
%>
</HEAD>
<BODY>
<jsp:scriptlet>String title = "Hello world!";</jsp:scriptlet>
</BODY>
</HTML>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/design.xml/NoScriptlets" />
```

42
docs/pages/pmd/rules/jsp/errorprone.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Error Prone
summary: Rules to detect constructs that are either broken, extremely confusing or prone to runtime errors.
permalink: pmd_rules_jsp_errorprone.html
folder: pmd/rules/jsp
sidebaractiveurl: /pmd_rules_jsp.html
editmepath: ../pmd-jsp/src/main/resources/category/jsp/errorprone.xml
keywords: Error Prone, JspEncoding
---
## JspEncoding
**Since:** PMD 4.0
**Priority:** Medium (3)
A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset.
```
//CompilationUnit/Content[
not(Element[@Name="meta"][
Attribute[@Name="content"]/AttributeValue[contains(lower-case(@Image),"charset=utf-8")]
])
and
not(JspDirective[@Name='page']/JspDirectiveAttribute[@Name='contentType'][contains(lower-case(@Value),"charset=utf-8")])
]
```
**Example(s):**
``` jsp
Most browsers should be able to interpret the following headers:
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<meta http-equiv="Content-Type"  content="text/html; charset=UTF-8" />
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/errorprone.xml/JspEncoding" />
```

65
docs/pages/pmd/rules/jsp/security.md Normal file
View File

@ -0,0 +1,65 @@
---
title: Security
summary: Rules that flag potential security flaws.
permalink: pmd_rules_jsp_security.html
folder: pmd/rules/jsp
sidebaractiveurl: /pmd_rules_jsp.html
editmepath: ../pmd-jsp/src/main/resources/category/jsp/security.xml
keywords: Security, IframeMissingSrcAttribute, NoUnsanitizedJSPExpression
---
## IframeMissingSrcAttribute
**Since:** PMD 3.6
**Priority:** Medium High (2)
IFrames which are missing a src element can cause security information popups in IE if you are accessing the page
through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188
```
//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0]
```
**Example(s):**
``` jsp
<HTML><title>bad example><BODY>
<iframe></iframe>
</BODY> </HTML>
<HTML><title>good example><BODY>
<iframe src="foo"></iframe>
</BODY> </HTML>
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/security.xml/IframeMissingSrcAttribute" />
```
## NoUnsanitizedJSPExpression
**Since:** PMD 5.1.4
**Priority:** Medium (3)
Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression
would be interpreted by the browser directly (e.g. "<script>alert('hello');</script>").
**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.security.NoUnsanitizedJSPExpressionRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/security/NoUnsanitizedJSPExpressionRule.java)
**Example(s):**
``` jsp
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
${expression} <!-- don't use this -->
${fn:escapeXml(expression)} <!-- instead, escape it -->
<c:out value="${expression}" /> <!-- or use c:out -->
```
**Use this rule by referencing it:**
``` xml
<rule ref="rulesets/jsp/security.xml/NoUnsanitizedJSPExpression" />
```