Rules concerning basic JSP guidelines.
Since: PMD 3.6
Priority: 2
Scripts should be part of Tag Libraries, rather than part of JSP pages.
// HtmlScript [ (@EndLine - @BeginLine > 10) ]
Example(s):
<HTML> <BODY> <!--Java Script--> <SCRIPT language="JavaScript" type="text/javascript"> <!-- function calcDays(){ var date1 = document.getElementById('d1').lastChild.data; var date2 = document.getElementById('d2').lastChild.data; date1 = date1.split("-"); date2 = date2.split("-"); var sDate = new Date(date1[0]+"/"+date1[1]+"/"+date1[2]); var eDate = new Date(date2[0]+"/"+date2[1]+"/"+date2[2]); var daysApart = Math.abs(Math.round((sDate-eDate)/86400000)); document.getElementById('diffDays').lastChild.data = daysApart; } onload=calcDays; //--> </SCRIPT> </BODY> </HTML>
Since: PMD 3.6
Priority: 3
Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of JSP pages.
//JspScriptlet | //Element[ upper-case(@Name)="JSP:SCRIPTLET" ]
Example(s):
<HTML> <HEAD> <% response.setHeader("Pragma", "No-cache"); %> </HEAD> <BODY> <jsp:scriptlet>String title = "Hello world!";</jsp:scriptlet> </BODY> </HTML>
Since: PMD 3.6
Priority: 3
Style information should be put in CSS files, not in JSPs. Therefore, don’t use <B> or <FONT> tags, or attributes like “align=‘center’”.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.jsp.rule.basic.NoInlineStyleInformationRule
Example(s):
<html><body><p align='center'><b>text</b></p></body></html>
This rule has the following properties:
Name | Default Value | Description |
---|---|---|
violationSuppressRegex | Suppress violations with messages matching a regular expression | |
violationSuppressXPath | Suppress violations on nodes which match a given relative XPath expression. |
Since: PMD 3.6
Priority: 2
Do not use an attribute called ‘class’. Use “styleclass” for CSS styles.
//Attribute[ upper-case(@Name)="CLASS" ]
Example(s):
<HTML> <BODY> <P class="MajorHeading">Some text</P> </BODY> </HTML>
Since: PMD 3.6
Priority: 3
Do not do a forward from within a JSP file.
//Element[ @Name="jsp:forward" ]
Example(s):
<jsp:forward page='UnderConstruction.jsp'/>
Since: PMD 3.6
Priority: 2
IFrames which are missing a src element can cause security information popups in IE if you are accessing the page through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188
//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0]
Example(s):
<HTML><title>bad example><BODY> <iframe></iframe> </BODY> </HTML> <HTML><title>good example><BODY> <iframe src="foo"></iframe> </BODY> </HTML>
Since: PMD 3.6
Priority: 2
In a production system, HTML comments increase the payload between the application server to the client, and serve little other purpose. Consider switching to JSP comments.
//CommentTag
Example(s):
<HTML><title>bad example><BODY> <!-- HTML comment --> </BODY> </HTML> <HTML><title>good example><BODY> <%-- JSP comment --%> </BODY> </HTML>
Since: PMD 3.7
Priority: 3
Avoid duplicate import statements inside JSP’s.
This rule is defined by the following Java class: net.sourceforge.pmd.lang.jsp.rule.basic.DuplicateJspImportsRule
Example(s):
<%@ page import=\"com.foo.MyClass,com.foo.MyClass\"%><html><body><b><img src=\"<%=Some.get()%>/foo\">xx</img>text</b></body></html>
This rule has the following properties:
Name | Default Value | Description |
---|---|---|
violationSuppressRegex | Suppress violations with messages matching a regular expression | |
violationSuppressXPath | Suppress violations on nodes which match a given relative XPath expression. |
Since: PMD 4.0
Priority: 3
A missing ‘meta’ tag or page directive will trigger this rule, as well as a non-UTF-8 charset.
//Content[ not(Element[@Name="meta"][ Attribute[@Name="content"]/AttributeValue[contains(lower-case(@Image),"charset=utf-8")] ]) and not(JspDirective[@Name='page']/JspDirectiveAttribute[@Name='contentType'][contains(lower-case(@Value),"charset=utf-8")]) ]
Example(s):
Most browsers should be able to interpret the following headers: <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
Since: PMD 4.0
Priority: 3
Avoid inlining HTML script content. Consider externalizing the HTML script using the ‘src’ attribute on the “script” element. Externalized script could be reused between pages. Browsers can also cache the script, reducing overall download bandwidth.
//HtmlScript[@Image != '']
Example(s):
Most browsers should be able to interpret the following headers: <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
Since: PMD 5.1.4
Priority: 3
Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - as the expression would be interpreted by the browser directly (e.g. “”).
This rule is defined by the following Java class: net.sourceforge.pmd.lang.jsp.rule.basic.NoUnsanitizedJSPExpressionRule
Example(s):
<%@ page contentType="text/html; charset=UTF-8" %> <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> ${expression} <!-- don't use this --> ${fn:escapeXml(expression)} <!-- instead, escape it --> <c:out value="${expression}" /> <!-- or use c:out -->
This rule has the following properties:
Name | Default Value | Description |
---|---|---|
violationSuppressRegex | Suppress violations with messages matching a regular expression | |
violationSuppressXPath | Suppress violations on nodes which match a given relative XPath expression. |