rspec/rules/S1876/html/rule.adoc

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:


* Version numbers and host names
* Full, server-side path names
* Sensitive user data

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.


== Ask Yourself Whether

* The comment contains sensitive information.
* The comment can be removed.


== Recommended Secure Coding Practices

It is recommended to remove the comment or change its style so that it is not output to the client.


== Sensitive Code Example

----
  <%
      out.write("<!-- ${username} -->");  // Sensitive
  %>
      <!-- <% out.write(userId) %> -->  // Sensitive
      <!-- #{userPhone} -->  // Sensitive
      <!-- ${userAddress} --> // Sensitive

      <!-- Replace 'world' with name --> // Sensitive
      <h2>Hello world!</h2>
----


== Compliant Solution

[source,html]
----
      <%-- Replace 'world' with name --%>  // Compliant
      <h2>Hello world!</h2>
----


== See

* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/615[CWE-615 - Information Exposure Through Comments]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure that the HTML comment does not contain sensitive information.


'''
== Comments And Links
(visible only on this page)

=== is related to: S1531

=== on 29 Jul 2014, 11:38:41 Freddy Mallet wrote:
According to the discussion we had yesterday, do you confirm that we can remove those comments @Ann ? Thanks

=== on 29 Jul 2014, 15:46:41 Ann Campbell wrote:
\[~freddy.mallet] It's in my ToDo list to merge this with RSPEC-1531

=== on 30 Jul 2014, 20:35:52 Freddy Mallet wrote:
Feedback [~ann.campbell.2]:

* As obvious as this rule can be, I would add some "Noncompliant/Compliant" sections
* Even if this rule is classified in the "Security" category I would decrease the severity to "Minor" or "Major" as the risk to have an HTML comment containing a sensitive information remains low
* We should decide if we want to use bullet points or table for the See section

endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:`


			`* Version numbers and host names`
			`* Full, server-side path names`
			`* Sensitive user data`

			`Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* The comment contains sensitive information.`
			`* The comment can be removed.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`It is recommended to remove the comment or change its style so that it is not output to the client.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
			`<%`
			`out.write("<!-- ${username} -->"); // Sensitive`
			`%>`
			`<!-- <% out.write(userId) %> --> // Sensitive`
			`<!-- #{userPhone} --> // Sensitive`
			`<!-- ${userAddress} --> // Sensitive`

			`<!-- Replace 'world' with name --> // Sensitive`
			`<h2>Hello world!</h2>`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,html]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<%-- Replace 'world' with name --%> // Compliant`
			`<h2>Hello world!</h2>`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]`
			`* CWE - https://cwe.mitre.org/data/definitions/615[CWE-615 - Information Exposure Through Comments]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure that the HTML comment does not contain sensitive information.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== is related to: S1531`

			`=== on 29 Jul 2014, 11:38:41 Freddy Mallet wrote:`
			`According to the discussion we had yesterday, do you confirm that we can remove those comments @Ann ? Thanks`

			`=== on 29 Jul 2014, 15:46:41 Ann Campbell wrote:`
			`\[~freddy.mallet] It's in my ToDo list to merge this with RSPEC-1531`

			`=== on 30 Jul 2014, 20:35:52 Freddy Mallet wrote:`
			`Feedback [~ann.campbell.2]:`

			`* As obvious as this rule can be, I would add some "Noncompliant/Compliant" sections`
			`* Even if this rule is classified in the "Security" category I would decrease the severity to "Minor" or "Major" as the risk to have an HTML comment containing a sensitive information remains low`
			`* We should decide if we want to use bullet points or table for the See section`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`