Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-1876

Using HTML comments is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that the HTML comment does not contain sensitive information.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Legacy Key:
      AvoidHtmlCommentCheck
    • Covered Languages:
      HTML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • CWE:
      CWE-615
    • OWASP:
      A3

      Description

      Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:

      • Version numbers and host names
      • Full, server-side path names
      • Sensitive user data

      Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.

      Ask Yourself Whether

      • The comment contains sensitive information.
      • The comment can be removed.

      Recommended Secure Coding Practices

      It is recommended to remove the comment or change its style so that it is not output to the client.

      Sensitive Code Example

        <%
            out.write("<!-- ${username} -->");  // Sensitive
        %>
            <!-- <% out.write(userId) %> -->  // Sensitive
            <!-- #{userPhone} -->  // Sensitive
            <!-- ${userAddress} --> // Sensitive
      
            <!-- Replace 'world' with name --> // Sensitive
            <h2>Hello world!</h2>
      

      Compliant Solution

            <%-- Replace 'world' with name --%>  // Compliant
            <h2>Hello world!</h2>
      

      See

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: