Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

HTML static code analysis

Unique rules to find Bugs, Security Hotspots, and Code Smells in your HTML code

Tags

Impact

Clean code attribute

Label elements should have a text label and an associated control
Code Smell
Elements with an interactive role should support focus
Code Smell
Images should have a non-redundant alternate description
Code Smell
Heading elements should have accessible content
Code Smell
Non-interactive DOM elements should not have an interactive handler
Code Smell
Non-interactive elements shouldn't have event handlers
Code Smell
DOM elements should not use the "accesskey" property
Code Smell
Non-interactive DOM elements should not have the `tabIndex` property
Code Smell
Anchor tags should not be used as buttons
Code Smell
Interactive DOM elements should not have non-interactive ARIA roles
Code Smell
Non-interactive DOM elements should not have interactive ARIA roles
Code Smell
"tabIndex" values should be 0 or -1
Code Smell
DOM elements should use the "autocomplete" attribute correctly
Code Smell
Anchors should contain accessible content
Code Smell
Focusable elements should not have "aria-hidden" attribute
Code Smell
DOM elements with the `aria-activedescendant` property should be accessible via the tab key
Code Smell
ARIA properties in DOM elements should have valid values
Code Smell
Using remote artifacts without integrity checks is security-sensitive
Security Hotspot
"<object>" tags should provide an alternative content
Code Smell
Table cells should reference their headers
Bug
Tables used for layout should not include semantic markup
Bug
HTML "<table>" should not be used for layout purposes
Code Smell
Tables should have headers
Bug
"aria-label" or "aria-labelledby" attributes should be used to differentiate similar elements
Code Smell
"<html>" element should have a language attribute
Bug
Disabling auto-escaping in template engines is security-sensitive
Security Hotspot
Authorizing an opened window to access back to the originating window is security-sensitive
Security Hotspot
<script>...</script> elements should not be nested
Bug
Videos should have subtitles
Code Smell
Track presence of forbidden parent element
Code Smell
Dynamic includes should not be used
Code Smell
Track uses of disallowed elements
Code Smell
The "style" attribute should not be used
Code Smell
Track uses of disallowed attributes
Code Smell
Track lack of required child elements
Code Smell
Some Java packages or classes should not be used in JSP files
Code Smell
Track uses of disallowed child elements
Code Smell
Multiple "page" directives should not be used
Code Smell
White space should be used in JSP/JSF tags
Code Smell
Disallowed "taglibs" should not be used
Code Smell
Track lack of required attributes
Code Smell
Labels should be defined in the resource bundle
Bug
Track lack of required parent elements
Code Smell
Files should not be too complex
Code Smell
HTML comments should be removed
Code Smell
Web pages should not contain absolute URIs
Code Smell
Attributes deprecated in HTML5 should not be used
Code Smell
JSP expressions should not be used
Code Smell
All HTML tags should be closed
Bug
Attributes should be quoted using double quotes rather than single ones
Code Smell
JavaScript scriptlets should not have too many lines of code
Code Smell
Track lack of copyright and license headers
Code Smell
Track lack of required an element with the required "id"
Code Smell
JSF expressions should be syntactically valid
Bug
Track uses of disallowed namespaces in XHTML documents
Code Smell
Sections of code should not be commented out
Code Smell
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
"<th>" tags should have "id" or "scope" attributes
Bug
Links with identical texts should have identical targets
Code Smell
"<strong>" and "<em>" tags should be used
Bug
Image tags should have "width" and "height" attributes
Bug
Favicons should be used in all pages
Code Smell
"input", "select" and "textarea" tags should be labeled
Bug
"<title>" should be present in all pages
Bug
"<!DOCTYPE>" declarations should appear before "<html>" tags
Bug
Meta tags should not be used to refresh or redirect
Code Smell
"<li>" and "<dt>" item tags should be in "<ul>", "<ol>" or "<dl>" container tags
Bug
Links should not directly target images
Code Smell
Server-side image maps ("ismap" attribute) should not be used
Bug
"<frames>" should have a "title" attribute
Bug
"<fieldset>" tags should contain a "<legend>"
Bug
Flash animations should be embedded using the window mode
Bug
Flash animations should be embedded using both "<object>" and "<embed>"
Bug
Heading tags should be used consecutively from "H1" to "H6"
Code Smell
"<table>" tags should have a description
Bug
Links should not target "#" or "javascript:void(0)"
Code Smell
Elements deprecated in HTML5 should not be used
Bug
Mouse events should have corresponding keyboard events
Bug
Image, area and button with image elements should have an "alt" attribute
Code Smell
Tabulation characters should not be used
Code Smell
Files should not have too many lines
Code Smell
Lines should not be too long
Code Smell

HTML comments should be removed

Code Smell

cwe
jsp-jsf

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that’s left in a page could easily (and has) inadvertently expose:

Version numbers and host names
Full, server-side path names
Sensitive user data

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.