rspec/rules/S1876/html/rule.adoc

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:


* Version numbers and host names
* Full, server-side path names
* Sensitive user data

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.


== Ask Yourself Whether

* The comment contains sensitive information.
* The comment can be removed.


== Recommended Secure Coding Practices

It is recommended to remove the comment or change its style so that it is not output to the client.


== Sensitive Code Example

----
  <%
      out.write("<!-- ${username} -->");  // Sensitive
  %>
      <!-- <% out.write(userId) %> -->  // Sensitive
      <!-- #{userPhone} -->  // Sensitive
      <!-- ${userAddress} --> // Sensitive

      <!-- Replace 'world' with name --> // Sensitive
      <h2>Hello world!</h2>
----


== Compliant Solution

----
      <%-- Replace 'world' with name --%>  // Compliant
      <h2>Hello world!</h2>
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* http://cwe.mitre.org/data/definitions/615.html[MITRE, CWE-615] - Information Exposure Through Comments
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:`


			`* Version numbers and host names`
			`* Full, server-side path names`
			`* Sensitive user data`

			`Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* The comment contains sensitive information.`
			`* The comment can be removed.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`It is recommended to remove the comment or change its style so that it is not output to the client.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
			`<%`
			`out.write("<!-- ${username} -->"); // Sensitive`
			`%>`
			`<!-- <% out.write(userId) %> --> // Sensitive`
			`<!-- #{userPhone} --> // Sensitive`
			`<!-- ${userAddress} --> // Sensitive`

			`<!-- Replace 'world' with name --> // Sensitive`
			`<h2>Hello world!</h2>`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`----`
			`<%-- Replace 'world' with name --%> // Compliant`
			`<h2>Hello world!</h2>`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
			`* http://cwe.mitre.org/data/definitions/615.html[MITRE, CWE-615] - Information Exposure Through Comments`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00