diff --git a/docs/pages/pmd/rules/jsp.md b/docs/pages/pmd/rules/jsp.md index 9951e6aa56..5999f09fc8 100644 --- a/docs/pages/pmd/rules/jsp.md +++ b/docs/pages/pmd/rules/jsp.md @@ -5,22 +5,31 @@ folder: pmd/rules --- List of rulesets and rules contained in each ruleset. -* [Basic JSF](pmd_rules_jsp_basic-jsf.html): Rules concerning basic JSF guidelines. -* [Basic JSP](pmd_rules_jsp_basic.html): Rules concerning basic JSP guidelines. +* [Best Practices](pmd_rules_jsp_bestpractices.html): Rules which enforce generally accepted best practices. +* [Codestyle](pmd_rules_jsp_codestyle.html): Rules which enforce a specific coding style. +* [Design](pmd_rules_jsp_design.html): Rules that help you discover design issues. +* [Error Prone](pmd_rules_jsp_errorprone.html): Rules to detect constructs that are either broken, extremely confusing or prone to runtime errors. +* [Security](pmd_rules_jsp_security.html): Rules that flag potential security flaws. -## Basic JSF -* [DontNestJsfInJstlIteration](pmd_rules_jsp_basic-jsf.html#dontnestjsfinjstliteration): Do not nest JSF component custom actions inside a custom action that iterates over its body. +## Best Practices +* [DontNestJsfInJstlIteration](pmd_rules_jsp_bestpractices.html#dontnestjsfinjstliteration): Do not nest JSF component custom actions inside a custom action that iterates over its body. +* [NoClassAttribute](pmd_rules_jsp_bestpractices.html#noclassattribute): Do not use an attribute called 'class'. Use "styleclass" for CSS styles. +* [NoHtmlComments](pmd_rules_jsp_bestpractices.html#nohtmlcomments): In a production system, HTML comments increase the payloadbetween the application server to the c... +* [NoJspForward](pmd_rules_jsp_bestpractices.html#nojspforward): Do not do a forward from within a JSP file. -## Basic JSP -* [DuplicateJspImports](pmd_rules_jsp_basic.html#duplicatejspimports): Avoid duplicate import statements inside JSP's. -* [IframeMissingSrcAttribute](pmd_rules_jsp_basic.html#iframemissingsrcattribute): IFrames which are missing a src element can cause security information popups in IE if you are ac... -* [JspEncoding](pmd_rules_jsp_basic.html#jspencoding): A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset. -* [NoClassAttribute](pmd_rules_jsp_basic.html#noclassattribute): Do not use an attribute called 'class'. Use "styleclass" for CSS styles. -* [NoHtmlComments](pmd_rules_jsp_basic.html#nohtmlcomments): In a production system, HTML comments increase the payloadbetween the application server to the c... -* [NoInlineScript](pmd_rules_jsp_basic.html#noinlinescript): Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attri... -* [NoInlineStyleInformation](pmd_rules_jsp_basic.html#noinlinestyleinformation): Style information should be put in CSS files, not in JSPs. Therefore, don't use or tags... -* [NoJspForward](pmd_rules_jsp_basic.html#nojspforward): Do not do a forward from within a JSP file. -* [NoLongScripts](pmd_rules_jsp_basic.html#nolongscripts): Scripts should be part of Tag Libraries, rather than part of JSP pages. -* [NoScriptlets](pmd_rules_jsp_basic.html#noscriptlets): Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of J... -* [NoUnsanitizedJSPExpression](pmd_rules_jsp_basic.html#nounsanitizedjspexpression): Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - ... +## Codestyle +* [DuplicateJspImports](pmd_rules_jsp_codestyle.html#duplicatejspimports): Avoid duplicate import statements inside JSP's. + +## Design +* [NoInlineScript](pmd_rules_jsp_design.html#noinlinescript): Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attri... +* [NoInlineStyleInformation](pmd_rules_jsp_design.html#noinlinestyleinformation): Style information should be put in CSS files, not in JSPs. Therefore, don't use or tags... +* [NoLongScripts](pmd_rules_jsp_design.html#nolongscripts): Scripts should be part of Tag Libraries, rather than part of JSP pages. +* [NoScriptlets](pmd_rules_jsp_design.html#noscriptlets): Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of J... + +## Error Prone +* [JspEncoding](pmd_rules_jsp_errorprone.html#jspencoding): A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset. + +## Security +* [IframeMissingSrcAttribute](pmd_rules_jsp_security.html#iframemissingsrcattribute): IFrames which are missing a src element can cause security information popups in IE if you are ac... +* [NoUnsanitizedJSPExpression](pmd_rules_jsp_security.html#nounsanitizedjspexpression): Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - ... diff --git a/docs/pages/pmd/rules/jsp/basic-jsf.md b/docs/pages/pmd/rules/jsp/basic-jsf.md deleted file mode 100644 index d8104dca9d..0000000000 --- a/docs/pages/pmd/rules/jsp/basic-jsf.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Basic JSF -summary: Rules concerning basic JSF guidelines. -permalink: pmd_rules_jsp_basic-jsf.html -folder: pmd/rules/jsp -sidebaractiveurl: /pmd_rules_jsp.html -editmepath: ../pmd-jsp/src/main/resources/rulesets/jsp/basic-jsf.xml -keywords: Basic JSF, DontNestJsfInJstlIteration ---- -## DontNestJsfInJstlIteration - -**Since:** PMD 3.6 - -**Priority:** Medium (3) - -Do not nest JSF component custom actions inside a custom action that iterates over its body. - -``` -//Element[ @Name="c:forEach" ] // Element[ @NamespacePrefix="h" or @NamespacePrefix="f" ] -``` - -**Example(s):** - -``` jsp - - -
    - -
    • -     -
- - -``` - -**Use this rule by referencing it:** -``` xml - -``` - diff --git a/docs/pages/pmd/rules/jsp/basic.md b/docs/pages/pmd/rules/jsp/basic.md deleted file mode 100644 index f1704787d9..0000000000 --- a/docs/pages/pmd/rules/jsp/basic.md +++ /dev/null @@ -1,325 +0,0 @@ ---- -title: Basic JSP -summary: Rules concerning basic JSP guidelines. -permalink: pmd_rules_jsp_basic.html -folder: pmd/rules/jsp -sidebaractiveurl: /pmd_rules_jsp.html -editmepath: ../pmd-jsp/src/main/resources/rulesets/jsp/basic.xml -keywords: Basic JSP, NoLongScripts, NoScriptlets, NoInlineStyleInformation, NoClassAttribute, NoJspForward, IframeMissingSrcAttribute, NoHtmlComments, DuplicateJspImports, JspEncoding, NoInlineScript, NoUnsanitizedJSPExpression ---- -## DuplicateJspImports - -**Since:** PMD 3.7 - -**Priority:** Medium (3) - -Avoid duplicate import statements inside JSP's. - -**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.basic.DuplicateJspImportsRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/basic/DuplicateJspImportsRule.java) - -**Example(s):** - -``` jsp -<%@ page import=\"com.foo.MyClass,com.foo.MyClass\"%>/foo\">xxtext -``` - -**Use this rule by referencing it:** -``` xml - -``` - -## IframeMissingSrcAttribute - -**Since:** PMD 3.6 - -**Priority:** Medium High (2) - -IFrames which are missing a src element can cause security information popups in IE if you are accessing the page -through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188 - -``` -//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0] -``` - -**Example(s):** - -``` jsp -bad example><BODY> -<iframe></iframe> -</BODY> </HTML> - -<HTML><title>good example><BODY> -<iframe src="foo"></iframe> -</BODY> </HTML> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/IframeMissingSrcAttribute" /> -``` - -## JspEncoding - -**Since:** PMD 4.0 - -**Priority:** Medium (3) - -A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset. - -``` -//CompilationUnit/Content[ -not(Element[@Name="meta"][ - Attribute[@Name="content"]/AttributeValue[contains(lower-case(@Image),"charset=utf-8")] -]) -and - not(JspDirective[@Name='page']/JspDirectiveAttribute[@Name='contentType'][contains(lower-case(@Value),"charset=utf-8")]) -] -``` - -**Example(s):** - -``` jsp -Most browsers should be able to interpret the following headers: - -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> - -<meta http-equiv="Content-Type"  content="text/html; charset=UTF-8" /> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/JspEncoding" /> -``` - -## NoClassAttribute - -**Since:** PMD 3.6 - -**Priority:** Medium High (2) - -Do not use an attribute called 'class'. Use "styleclass" for CSS styles. - -``` -//Attribute[ upper-case(@Name)="CLASS" ] -``` - -**Example(s):** - -``` jsp -<HTML> <BODY> -<P class="MajorHeading">Some text</P> -</BODY> </HTML> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoClassAttribute" /> -``` - -## NoHtmlComments - -**Since:** PMD 3.6 - -**Priority:** Medium High (2) - -In a production system, HTML comments increase the payload -between the application server to the client, and serve -little other purpose. Consider switching to JSP comments. - -``` -//CommentTag -``` - -**Example(s):** - -``` jsp -<HTML><title>bad example><BODY> -<!-- HTML comment --> -</BODY> </HTML> - -<HTML><title>good example><BODY> -<%-- JSP comment --%> -</BODY> </HTML> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoHtmlComments" /> -``` - -## NoInlineScript - -**Since:** PMD 4.0 - -**Priority:** Medium (3) - -Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attribute on the "script" element. -Externalized script could be reused between pages. Browsers can also cache the script, reducing overall download bandwidth. - -``` -//HtmlScript[@Image != ''] -``` - -**Example(s):** - -``` jsp -Most browsers should be able to interpret the following headers: - -<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> - -<meta http-equiv="Content-Type"  content="text/html; charset=UTF-8" /> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoInlineScript" /> -``` - -## NoInlineStyleInformation - -**Since:** PMD 3.6 - -**Priority:** Medium (3) - -Style information should be put in CSS files, not in JSPs. Therefore, don't use <B> or <FONT> -tags, or attributes like "align='center'". - -**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.basic.NoInlineStyleInformationRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/basic/NoInlineStyleInformationRule.java) - -**Example(s):** - -``` jsp -<html><body><p align='center'><b>text</b></p></body></html> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoInlineStyleInformation" /> -``` - -## NoJspForward - -**Since:** PMD 3.6 - -**Priority:** Medium (3) - -Do not do a forward from within a JSP file. - -``` -//Element[ @Name="jsp:forward" ] -``` - -**Example(s):** - -``` jsp -<jsp:forward page='UnderConstruction.jsp'/> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoJspForward" /> -``` - -## NoLongScripts - -**Since:** PMD 3.6 - -**Priority:** Medium High (2) - -Scripts should be part of Tag Libraries, rather than part of JSP pages. - -``` -//HtmlScript[(@EndLine - @BeginLine > 10)] -``` - -**Example(s):** - -``` jsp -<HTML> -<BODY> -<!--Java Script--> -<SCRIPT language="JavaScript" type="text/javascript"> -<!-- -function calcDays(){ - var date1 = document.getElementById('d1').lastChild.data; - var date2 = document.getElementById('d2').lastChild.data; - date1 = date1.split("-"); - date2 = date2.split("-"); - var sDate = new Date(date1[0]+"/"+date1[1]+"/"+date1[2]); - var eDate = new Date(date2[0]+"/"+date2[1]+"/"+date2[2]); - var daysApart = Math.abs(Math.round((sDate-eDate)/86400000)); - document.getElementById('diffDays').lastChild.data = daysApart; -} - -onload=calcDays; -//--> -</SCRIPT> -</BODY> -</HTML> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoLongScripts" /> -``` - -## NoScriptlets - -**Since:** PMD 3.6 - -**Priority:** Medium (3) - -Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of JSP pages. - -``` -//JspScriptlet -| -//Element[ upper-case(@Name)="JSP:SCRIPTLET" ] -``` - -**Example(s):** - -``` jsp -<HTML> -<HEAD> -<% -response.setHeader("Pragma", "No-cache"); -%> -</HEAD> - <BODY> - <jsp:scriptlet>String title = "Hello world!";</jsp:scriptlet> - </BODY> -</HTML> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoScriptlets" /> -``` - -## NoUnsanitizedJSPExpression - -**Since:** PMD 5.1.4 - -**Priority:** Medium (3) - -Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression -would be interpreted by the browser directly (e.g. "<script>alert('hello');</script>"). - -**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.basic.NoUnsanitizedJSPExpressionRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/basic/NoUnsanitizedJSPExpressionRule.java) - -**Example(s):** - -``` jsp -<%@ page contentType="text/html; charset=UTF-8" %> -<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> -${expression} <!-- don't use this --> -${fn:escapeXml(expression)} <!-- instead, escape it --> -<c:out value="${expression}" /> <!-- or use c:out --> -``` - -**Use this rule by referencing it:** -``` xml -<rule ref="rulesets/jsp/basic.xml/NoUnsanitizedJSPExpression" /> -``` - diff --git a/docs/pages/pmd/rules/jsp/bestpractices.md b/docs/pages/pmd/rules/jsp/bestpractices.md new file mode 100644 index 0000000000..5d4c2cc527 --- /dev/null +++ b/docs/pages/pmd/rules/jsp/bestpractices.md @@ -0,0 +1,119 @@ +--- +title: Best Practices +summary: Rules which enforce generally accepted best practices. +permalink: pmd_rules_jsp_bestpractices.html +folder: pmd/rules/jsp +sidebaractiveurl: /pmd_rules_jsp.html +editmepath: ../pmd-jsp/src/main/resources/category/jsp/bestpractices.xml +keywords: Best Practices, DontNestJsfInJstlIteration, NoClassAttribute, NoHtmlComments, NoJspForward +--- +## DontNestJsfInJstlIteration + +**Since:** PMD 3.6 + +**Priority:** Medium (3) + +Do not nest JSF component custom actions inside a custom action that iterates over its body. + +``` +//Element[ @Name="c:forEach" ] // Element[ @NamespacePrefix="h" or @NamespacePrefix="f" ] +``` + +**Example(s):** + +``` jsp +<html> + <body> + <ul> + <c:forEach items='${books}' var='b'> + <li> <h:outputText value='#{b}' /> </li> + </c:forEach> + </ul> + </body> +</html> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/bestpractices.xml/DontNestJsfInJstlIteration" /> +``` + +## NoClassAttribute + +**Since:** PMD 3.6 + +**Priority:** Medium High (2) + +Do not use an attribute called 'class'. Use "styleclass" for CSS styles. + +``` +//Attribute[ upper-case(@Name)="CLASS" ] +``` + +**Example(s):** + +``` jsp +<HTML> <BODY> +<P class="MajorHeading">Some text</P> +</BODY> </HTML> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/bestpractices.xml/NoClassAttribute" /> +``` + +## NoHtmlComments + +**Since:** PMD 3.6 + +**Priority:** Medium High (2) + +In a production system, HTML comments increase the payload +between the application server to the client, and serve +little other purpose. Consider switching to JSP comments. + +``` +//CommentTag +``` + +**Example(s):** + +``` jsp +<HTML><title>bad example><BODY> +<!-- HTML comment --> +</BODY> </HTML> + +<HTML><title>good example><BODY> +<%-- JSP comment --%> +</BODY> </HTML> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/bestpractices.xml/NoHtmlComments" /> +``` + +## NoJspForward + +**Since:** PMD 3.6 + +**Priority:** Medium (3) + +Do not do a forward from within a JSP file. + +``` +//Element[ @Name="jsp:forward" ] +``` + +**Example(s):** + +``` jsp +<jsp:forward page='UnderConstruction.jsp'/> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/bestpractices.xml/NoJspForward" /> +``` + diff --git a/docs/pages/pmd/rules/jsp/codestyle.md b/docs/pages/pmd/rules/jsp/codestyle.md new file mode 100644 index 0000000000..d6aede30cd --- /dev/null +++ b/docs/pages/pmd/rules/jsp/codestyle.md @@ -0,0 +1,30 @@ +--- +title: Codestyle +summary: Rules which enforce a specific coding style. +permalink: pmd_rules_jsp_codestyle.html +folder: pmd/rules/jsp +sidebaractiveurl: /pmd_rules_jsp.html +editmepath: ../pmd-jsp/src/main/resources/category/jsp/codestyle.xml +keywords: Codestyle, DuplicateJspImports +--- +## DuplicateJspImports + +**Since:** PMD 3.7 + +**Priority:** Medium (3) + +Avoid duplicate import statements inside JSP's. + +**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.codestyle.DuplicateJspImportsRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/codestyle/DuplicateJspImportsRule.java) + +**Example(s):** + +``` jsp +<%@ page import=\"com.foo.MyClass,com.foo.MyClass\"%><html><body><b><img src=\"<%=Some.get()%>/foo\">xx</img>text</b></body></html> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/codestyle.xml/DuplicateJspImports" /> +``` + diff --git a/docs/pages/pmd/rules/jsp/design.md b/docs/pages/pmd/rules/jsp/design.md new file mode 100644 index 0000000000..3d20592513 --- /dev/null +++ b/docs/pages/pmd/rules/jsp/design.md @@ -0,0 +1,126 @@ +--- +title: Design +summary: Rules that help you discover design issues. +permalink: pmd_rules_jsp_design.html +folder: pmd/rules/jsp +sidebaractiveurl: /pmd_rules_jsp.html +editmepath: ../pmd-jsp/src/main/resources/category/jsp/design.xml +keywords: Design, NoInlineScript, NoInlineStyleInformation, NoLongScripts, NoScriptlets +--- +## NoInlineScript + +**Since:** PMD 4.0 + +**Priority:** Medium (3) + +Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attribute on the "script" element. +Externalized script could be reused between pages. Browsers can also cache the script, reducing overall download bandwidth. + +``` +//HtmlScript[@Image != ''] +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/design.xml/NoInlineScript" /> +``` + +## NoInlineStyleInformation + +**Since:** PMD 3.6 + +**Priority:** Medium (3) + +Style information should be put in CSS files, not in JSPs. Therefore, don't use <B> or <FONT> +tags, or attributes like "align='center'". + +**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.design.NoInlineStyleInformationRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/design/NoInlineStyleInformationRule.java) + +**Example(s):** + +``` jsp +<html><body><p align='center'><b>text</b></p></body></html> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/design.xml/NoInlineStyleInformation" /> +``` + +## NoLongScripts + +**Since:** PMD 3.6 + +**Priority:** Medium High (2) + +Scripts should be part of Tag Libraries, rather than part of JSP pages. + +``` +//HtmlScript[(@EndLine - @BeginLine > 10)] +``` + +**Example(s):** + +``` jsp +<HTML> +<BODY> +<!--Java Script--> +<SCRIPT language="JavaScript" type="text/javascript"> +<!-- +function calcDays(){ + var date1 = document.getElementById('d1').lastChild.data; + var date2 = document.getElementById('d2').lastChild.data; + date1 = date1.split("-"); + date2 = date2.split("-"); + var sDate = new Date(date1[0]+"/"+date1[1]+"/"+date1[2]); + var eDate = new Date(date2[0]+"/"+date2[1]+"/"+date2[2]); + var daysApart = Math.abs(Math.round((sDate-eDate)/86400000)); + document.getElementById('diffDays').lastChild.data = daysApart; +} + +onload=calcDays; +//--> +</SCRIPT> +</BODY> +</HTML> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/design.xml/NoLongScripts" /> +``` + +## NoScriptlets + +**Since:** PMD 3.6 + +**Priority:** Medium (3) + +Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of JSP pages. + +``` +//JspScriptlet +| +//Element[ upper-case(@Name)="JSP:SCRIPTLET" ] +``` + +**Example(s):** + +``` jsp +<HTML> +<HEAD> +<% +response.setHeader("Pragma", "No-cache"); +%> +</HEAD> + <BODY> + <jsp:scriptlet>String title = "Hello world!";</jsp:scriptlet> + </BODY> +</HTML> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/design.xml/NoScriptlets" /> +``` + diff --git a/docs/pages/pmd/rules/jsp/errorprone.md b/docs/pages/pmd/rules/jsp/errorprone.md new file mode 100644 index 0000000000..4805df2036 --- /dev/null +++ b/docs/pages/pmd/rules/jsp/errorprone.md @@ -0,0 +1,42 @@ +--- +title: Error Prone +summary: Rules to detect constructs that are either broken, extremely confusing or prone to runtime errors. +permalink: pmd_rules_jsp_errorprone.html +folder: pmd/rules/jsp +sidebaractiveurl: /pmd_rules_jsp.html +editmepath: ../pmd-jsp/src/main/resources/category/jsp/errorprone.xml +keywords: Error Prone, JspEncoding +--- +## JspEncoding + +**Since:** PMD 4.0 + +**Priority:** Medium (3) + +A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset. + +``` +//CompilationUnit/Content[ +not(Element[@Name="meta"][ + Attribute[@Name="content"]/AttributeValue[contains(lower-case(@Image),"charset=utf-8")] +]) +and + not(JspDirective[@Name='page']/JspDirectiveAttribute[@Name='contentType'][contains(lower-case(@Value),"charset=utf-8")]) +] +``` + +**Example(s):** + +``` jsp +Most browsers should be able to interpret the following headers: + +<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> + +<meta http-equiv="Content-Type"  content="text/html; charset=UTF-8" /> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/errorprone.xml/JspEncoding" /> +``` + diff --git a/docs/pages/pmd/rules/jsp/security.md b/docs/pages/pmd/rules/jsp/security.md new file mode 100644 index 0000000000..04d531e35a --- /dev/null +++ b/docs/pages/pmd/rules/jsp/security.md @@ -0,0 +1,65 @@ +--- +title: Security +summary: Rules that flag potential security flaws. +permalink: pmd_rules_jsp_security.html +folder: pmd/rules/jsp +sidebaractiveurl: /pmd_rules_jsp.html +editmepath: ../pmd-jsp/src/main/resources/category/jsp/security.xml +keywords: Security, IframeMissingSrcAttribute, NoUnsanitizedJSPExpression +--- +## IframeMissingSrcAttribute + +**Since:** PMD 3.6 + +**Priority:** Medium High (2) + +IFrames which are missing a src element can cause security information popups in IE if you are accessing the page +through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188 + +``` +//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0] +``` + +**Example(s):** + +``` jsp +<HTML><title>bad example><BODY> +<iframe></iframe> +</BODY> </HTML> + +<HTML><title>good example><BODY> +<iframe src="foo"></iframe> +</BODY> </HTML> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/security.xml/IframeMissingSrcAttribute" /> +``` + +## NoUnsanitizedJSPExpression + +**Since:** PMD 5.1.4 + +**Priority:** Medium (3) + +Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression +would be interpreted by the browser directly (e.g. "<script>alert('hello');</script>"). + +**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.jsp.rule.security.NoUnsanitizedJSPExpressionRule](https://github.com/pmd/pmd/blob/master/pmd-jsp/src/main/java/net/sourceforge/pmd/lang/jsp/rule/security/NoUnsanitizedJSPExpressionRule.java) + +**Example(s):** + +``` jsp +<%@ page contentType="text/html; charset=UTF-8" %> +<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> +${expression} <!-- don't use this --> +${fn:escapeXml(expression)} <!-- instead, escape it --> +<c:out value="${expression}" /> <!-- or use c:out --> +``` + +**Use this rule by referencing it:** +``` xml +<rule ref="rulesets/jsp/security.xml/NoUnsanitizedJSPExpression" /> +``` +