ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S1876/html/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

84 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:
* Version numbers and host names
* Full, server-side path names
* Sensitive user data
Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.
== Ask Yourself Whether
* The comment contains sensitive information.
* The comment can be removed.
== Recommended Secure Coding Practices
It is recommended to remove the comment or change its style so that it is not output to the client.
== Sensitive Code Example
----
<%
out.write("<!-- ${username} -->"); // Sensitive
%>
<!-- <% out.write(userId) %> --> // Sensitive
<!-- #{userPhone} --> // Sensitive
<!-- ${userAddress} --> // Sensitive
<!-- Replace 'world' with name --> // Sensitive
<h2>Hello world!</h2>
----
== Compliant Solution
[source,html]
----
<%-- Replace 'world' with name --%> // Compliant
<h2>Hello world!</h2>
----
== See
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/615[CWE-615 - Information Exposure Through Comments]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure that the HTML comment does not contain sensitive information.
'''
== Comments And Links
(visible only on this page)
=== is related to: S1531
=== on 29 Jul 2014, 11:38:41 Freddy Mallet wrote:
According to the discussion we had yesterday, do you confirm that we can remove those comments @Ann ? Thanks
=== on 29 Jul 2014, 15:46:41 Ann Campbell wrote:
\[~freddy.mallet] It's in my ToDo list to merge this with RSPEC-1531
=== on 30 Jul 2014, 20:35:52 Freddy Mallet wrote:
Feedback [~ann.campbell.2]:
* As obvious as this rule can be, I would add some "Noncompliant/Compliant" sections
* Even if this rule is classified in the "Security" category I would decrease the severity to "Minor" or "Major" as the risk to have an HTML comment containing a sensitive information remains low
* We should decide if we want to use bullet points or table for the See section
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink