SonarSource Rules

Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

HTML static code analysis

Unique rules to find Bugs, Security Hotspots, and Code Smells in your HTML code

Security Hotspot3

Filtered: 6 rules found

cwe

Impact

Clean code attribute

HTML comments should be removed

Code Smell

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that’s left in a page could easily (and has) inadvertently expose:

Version numbers and host names
Full, server-side path names
Sensitive user data

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.

Ask Yourself Whether

Recommended Secure Coding Practices

Sensitive Code Example

Compliant Solution

See

The comment contains sensitive information.
The comment can be removed.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1