SonarSource Rules

Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

HTML static code analysis

Unique rules to find Bugs, Security Hotspots, and Code Smells in your HTML code

Security Hotspot3

Filtered: 6 rules found

jsp-jsf

Impact

Clean code attribute

HTML comments should be removed

Code Smell

MinorSonarSource default severity
click to learn more

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that’s left in a page could easily (and has) inadvertently expose:

Version numbers and host names
Full, server-side path names
Sensitive user data

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.

Ask Yourself Whether

Recommended Secure Coding Practices

Sensitive Code Example

Compliant Solution

See

The comment contains sensitive information.
The comment can be removed.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI