Rules that flag potential security flaws.

IframeMissingSrcAttribute

Since: PMD 3.6

Priority: Medium High (2)

IFrames which are missing a src element can cause security information popups in IE if you are accessing the page through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188

This rule is defined by the following XPath expression:

//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0]

Example(s):

<HTML><title>bad example><BODY>
<iframe></iframe>
</BODY> </HTML>

<HTML><title>good example><BODY>
<iframe src="foo"></iframe>
</BODY> </HTML>

Use this rule by referencing it:

<rule ref="category/jsp/security.xml/IframeMissingSrcAttribute" />

NoUnsanitizedJSPExpression

Since: PMD 5.1.4

Priority: Medium (3)

Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression would be interpreted by the browser directly (e.g. "<script>alert(‘hello’);</script>").

This rule is defined by the following Java class: net.sourceforge.pmd.lang.jsp.rule.security.NoUnsanitizedJSPExpressionRule

Example(s):

<%@ page contentType="text/html; charset=UTF-8" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
${expression}                    <!-- don't use this -->
${fn:escapeXml(expression)}      <!-- instead, escape it -->
<c:out value="${expression}" />  <!-- or use c:out -->

Use this rule by referencing it:

<rule ref="category/jsp/security.xml/NoUnsanitizedJSPExpression" />