Rules that flag potential security flaws.
Table of Contents


Since: PMD 3.6

Priority: Medium High (2)

IFrames which are missing a src element can cause security information popups in IE if you are accessing the page through SSL. See;EN-US;Q261188

This rule is defined by the following XPath expression:

//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0]


<HTML><title>bad example><BODY>

<HTML><title>good example><BODY>
<iframe src="foo"></iframe>

Use this rule by referencing it:

<rule ref="category/jsp/security.xml/IframeMissingSrcAttribute" />


Since: PMD 5.1.4

Priority: Medium (3)

Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression would be interpreted by the browser directly (e.g. "<script>alert(‘hello’);</script>").

This rule is defined by the following Java class:


<%@ page contentType="text/html; charset=UTF-8" %>
<%@ taglib prefix="fn" uri="" %>
${expression}                    <!-- don't use this -->
${fn:escapeXml(expression)}      <!-- instead, escape it -->
<c:out value="${expression}" />  <!-- or use c:out -->

Use this rule by referencing it:

<rule ref="category/jsp/security.xml/NoUnsanitizedJSPExpression" />