Html
<li> and <dt> item tags should be in <ul>, <ol> or <dl> container tags
<li> and <dt> item tags should be in <ul>, <ol> or <dl> container tags
Table cells should reference their headers
Table cells should reference their headers
If a `<td> cell has a headers attribute, it should reference only IDs of headers in the same column and row.
Note that it is usually better to use scope attributes of <th> headers instead of headers attribute. headers attribute requires you to list every corresponding <th> header’s id, which is error-prone and makes the code less maintainable. See W3C WAI Web Accessibility Tutorials for more information.
If your table is too complex, it might be better to split it into multiple small tables as it improves both readability and maintainability.
This rule raises an issue when the headers attribute of a <td>` cell contains IDs which don’t belong to a header in the same row or column.
<!DOCTYPE> declarations should appear before <html> tags
<!DOCTYPE> declarations should appear before <html> tags
Tables used for layout should not include semantic markup
Tables used for layout should not include semantic markup
Tables used for layout should not include semantic markup, such as `<th> elements, as it can confuse assistive technologies. At best this information is ignored by screen readers and makes the code less maintainable. However it can also confuse some screen readers and reduce the web page accessibility.
This rule raises an issue when a <table> element containing the role attribute set to “presentation” or “none” also contains any of:
a <caption> element
a <th> element
a non-empty summary attribute
an <td> element with a headers or scope` attribute
<title> should be present in all pages
<title> should be present in all pages
Titles are important because they are displayed in search engine results as well as the browser’s toolbar.
This rule verifies that the <head> tag contains a <title> one, and the <html> tag a <head>
one.
<th> tags should have id or scope attributes
<th> tags should have id or scope attributes
<strong> and <em> tags should be used
<strong> and <em> tags should be used
Scriptlets should not be used
Scriptlets should not be used
Just because you can do something, that doesn’t mean you should, and the use of full-fledged Java in a JSP or JSF falls into that category.
Beside the fact that such code isn’t resuable, testable, maintainable or OO-inheritable, using Java in such client-side pages can leave you incredibly vulnerable from a number of perspectives including security and resource management.
Instead, any heavy-duty logic should happen server-side in a full-fledged Java class. For lighter-weight functions, taglibs should be used.
This rule flags all uses of JSP declarations (<%! … %> and <jsp:declaration>…</jsp:declaration>) and scriptlets (<% … %>
).
<script>...</script> elements should not be nested
<script>...</script> elements should not be nested
When parsing a script node, the browser treats its contents as plain text, and immediately finishes parsing when it finds the first closing `</script> character sequence.
As a consequence, nested script nodes are not possible, because all opening <script> tags found along the way are ignored.
Web browsers doesn’t support nested <script>…</script> elements. But there is no error in such case and browsers just close the first encountered <script> tag as soon as a closing </script>` tag is found along the way. So there is a big chance to display something totally unexpected to the end-users.
Track lack of required an element with the required id
Track lack of required an element with the required id
This rule allows you to make sure that each HTML page contains an element with your configured ID, regardless of element type. This rule is useful, for instance, if your design requires a placeholder to be present in each page, for example to dynamically insert a footer.
Web pages should not contain absolute URIs
Web pages should not contain absolute URIs
It is considered best-practice to use relative URLs in web pages to prevent having to update the addresses if the web address in use changes. Moreover, if some absolute URLs are missed in such a process, it will obviously impact the user experience.
<table> tags should have a description
<table> tags should have a description
JavaScript scriptlets should not have too many lines of code
JavaScript scriptlets should not have too many lines of code
Long pieces of JavaScript should be located in dedicated *.js source files. This makes maintenance of both the script and the pages that use it easier. Additionally, it offers some efficiencies in serving the files, since it takes better advantage of browser caching to only re-serve the parts of a web page that have actually changed.
Track lack of required attributes
Track lack of required attributes
This rule checks that the specified attributes are present in HTML tags.
Flash animations should be embedded using the window mode
Flash animations should be embedded using the window mode
Browsers best support the `window mode for the wmode parameter, also in terms of accessibility.
As it is the default mode, it is acceptable to either not specify a wmode parameter altogether, or to set it explicitly to window`.
<html> element should have a language attribute
<html> element should have a language attribute
The `<html> element should provide the lang and/or xml:lang attribute in order to identify the default language of a document.
It enables assistive technologies, such as screen readers, to provide a comfortable reading experience by adapting the pronunciation and accent to the language. It also helps braille translation software, telling it to switch the control codes for accented characters for instance.
Other benefits of marking the language include:
assisting user agents in providing dictionary definitions or helping users benefit from translation tools.
improving search engine ranking.
Both the lang and the xml:lang` attributes can take only one value.
Track uses of disallowed elements
Track uses of disallowed elements
This rule checks that the specified HTML elements are not present.
Heading tags should be used consecutively from H1 to H6
Heading tags should be used consecutively from H1 to H6
autocomplete should be set to off on input elements of type password
autocomplete should be set to off on input elements of type password
Most browsers automatically fill the content of input elements of type ‘password’ when this password has already been provided in the past.
Imagine that user B takes control of a machine belonging to a user A. Accessing a secured web site as user A is trivial for user B if form input elements are automatically filled in by the browser on the site’s login page.
HTML 5 specifies the ability to turn this functionality off on a field-by-field basis using the autocomplete
attribute, but most modern browsers ignore it in favor of their own password management.
iframes should be sandboxed
iframes should be sandboxed
HTML5 introduces the ability to restrict the permissions of content loaded into an `iframe. Simply adding the sandbox attribute to an iframe tag limits the iframe to simply loading the specified contents; no scripts will run, no popups will pop, and so on. You can re-enable additional functions individually by specifying them in the attribute’s value:
allow-forms - form submission
allow-popups - popups
allow-scripts - script execution
allow-pointer-lock - access to the “pointer lock” API
allow-same-origin - sandboxed content is marked as being from a different domain (even when it’s not). This attribute turns that off so that, for instance, the iframe content can access its site’s cookies.
allow-top-navigation - turns the target attribute of a tags back on
Following the principle of minimum privileges, this rule raises an issue for each iframe which does not have a sandbox` attribute.
Track lack of required child elements
Track lack of required child elements
This rule checks that the specified child elements are present inside the specified parent elements.
Links should not target # or javascript:void(0)
Links should not target # or javascript:void(0)
There are two ways to build a link that has the sole purpose of running JavaScript code. The goal of this rule is to ban such patterns in order to support browsing with JavaScript disabled.
Assignments should not be made in boolean contexts
Assignments should not be made in boolean contexts
The assignment of a boolean variable inside the test of a control structure such as an if, while or for
loop is almost always a mistake and should be corrected to avoid unexpected program results. In fact, even if it was done on purpose, it should be re-examined.
Image tags should have width and height attributes
Image tags should have width and height attributes
Flash animations should be embedded using both <object> and <embed>
Flash animations should be embedded using both <object> and <embed>
The `<object> tag is used by Internet Explorer 3.0 or later on Windows platforms or any browser that supports the use of the Flash ActiveX control. The <embed> tag is used by Netscape Navigator 2.0 or later, or browsers that support the use of the Netscape-compatible plug-in version of Flash Player.
When an ActiveX-enabled browser loads the HTML page, it reads the values set on the <object> and ignores the <embed> tag. When browsers using the Flash plug-in load the HTML page, they read the values set on the <embed> tag and ignore the <object>` tag.
Disallowed taglibs should not be used
Disallowed taglibs should not be used
This rule checks that the disallowed tag libraries are not used.
Track uses of disallowed child elements
Track uses of disallowed child elements
This rule checks that the specified child tag does not appear as a direct child of the specified parent.
Attributes should be quoted using double quotes rather than single ones
Attributes should be quoted using double quotes rather than single ones
Checker to find use of single quote where double quote is preferred.
Attributes should be quoted using single quotes
Attributes should be quoted using single quotes
Checker to find use of double quote where single quote is preferred.
JSF expressions should be syntactically valid
JSF expressions should be syntactically valid
This rule allows to make sure that all JSF Expressions are syntactically correct.
Meta tags should not be used to refresh or redirect
Meta tags should not be used to refresh or redirect
Image, area and button with image elements should have an alt attribute
Image, area and button with image elements should have an alt attribute
JSP expressions should not be used
JSP expressions should not be used
JSP expressions (using <%= … %>
) have been deprecated because they:
Are not unit testable.
Are not reusable.
Cannot make use of object oriented concepts such as inheritence.
Have poor error handling capabilities: if an exception is thrown, an empty page is rended.
Mix the business and presentation logic.
JSP Standard Tag Library (JSTL) and Expression Language should be used instead, enabiling the adoption of the model-view-controller (MVC) design pattern which reduces the coupling between the presentation tier and the business logic.
Some Java packages or classes should not be used in JSP files
Some Java packages or classes should not be used in JSP files
This rule raises an issue when a configured Java package or class is used in a JSP file.
Track uses of disallowed attributes
Track uses of disallowed attributes
This rule checks that the specified attributes are not present in HTML tags.
All HTML tags should be closed
All HTML tags should be closed
HTML <table> should not be used for layout purposes
HTML <table> should not be used for layout purposes
HTML <table> elements should not be used for layout purpose as it can confuse screen readers. It is recommended to use CSS instead.
This rule raises an issue on every <table> element containing a role attribute set to “presentation” or “none”
, which is how W3C recommends marks layout tables.
Server-side image maps (ismap attribute) should not be used
Server-side image maps (ismap attribute) should not be used
The `ismap attribute in an img tag creates a server-side image map: The browser sends the coordinates of the clicked point to the server.
For any person who cannot use a mouse, this form of navigation is inaccessible because it is the position of the cursor on the image that determines the action.
On the other hand, client-side image maps, which use the usemap` attribute allow for each clickable area to specify an alternate text, enabling accessibility for the blind.
Further, in terms of separation of concerns, it is definitely better to leave the task of mapping pixels to links to the client.
Tables should have headers
Tables should have headers
Table headers are essential to enhance the accessibility of a table’s data, particularly for assistive technologies like screen readers. These headers provide the necessary context to transform data into information. Without headers, users get rapidly lost in the flow of data.
This rule raises an issue whenever a <table> does not contain any <th> elements.
Links should not directly target images
Links should not directly target images
Whenever a user clicks on a link that targets an image, the website’s navigation menu will be lost.
From a user point of view, it is as if she left the website.
The only way to return to it is using the browser’s ‘Back’ button.
Instead, it is better to create a page which will display the image using the `<img> tag and preserve the navigation menu.
Further, in terms of accessibility, when the image is embedded into a page, content providers are able to provide an alternate text equivalent through the alt` attribute.
input, select and textarea tags should be labeled
input, select and textarea tags should be labeled
The style attribute should not be used
The style attribute should not be used
The goal of this rule is to ban the usage of HTML “style” property to make sure that all CSS styles are defined in CSS classes. Consolidating all styling into classes makes it easier to read, understand and maintain.
Track uses of disallowed namespaces in XHTML documents
Track uses of disallowed namespaces in XHTML documents
This rule allows to ban declaration of some namespaces in the root element of XHML documents.
<frames> should have a title attribute
<frames> should have a title attribute
Frames allow different web pages to be put together on the same visual space. Users without disabilities can easily scan the contents of all frames at once. However, visually impaired users using screen readers hear the page content linearly.
The title attribute is used to list all the page’s frames, enabling those users to easily navigate among them. Therefore, the <frame> and <iframe> tags should always have a title
attribute.
<fieldset> tags should contain a <legend>
<fieldset> tags should contain a <legend>
<object> tags should provide an alternative content
<object> tags should provide an alternative content
aria-label or aria-labelledby attributes should be used to differentiate similar elements
aria-label or aria-labelledby attributes should be used to differentiate similar elements
If a page contains multiple `<nav> or <aside> elements, each one should have an aria-label or aria-labelledby attribute so that they can be differentiated. The same rule applies when multiple elements have a role attribute with the same “landmark” value.
Landmark roles are: banner, complementary, contentinfo, form, main, navigation, search, application`.
The use of ARIA markup helps users of screen readers navigate across blocks of content. For example it makes groups of links easier to locate or skip.
Locale should be specified for String case conversion
Locale should be specified for String case conversion
Failure to specify a locale for String
case conversions means the system default encoding will be used, possibly creating problems with international characters. Such code may work fine in its “home” environment, but break in ways that are extremely difficult to diagnose for customers who use different encodings. Such bugs can be nearly, if not completely, impossible to reproduce when it’s time to fix them.
Videos should have subtitles
Videos should have subtitles
In order to make your site usable by as many people as possible, subtitles should be provided for videos.
This rule raises an issue when a `video does not include at least one <track/> tag with the kind attribute set to captions, or descriptions or at the very least subtitles.
Note that the subtitles kind is not meant for accessibility but for translation. The kind captions targets people with hearing impairment, whereas descriptions` targets people with vision impairment.
Dynamic includes should not be used
Dynamic includes should not be used
Content that doesn’t change or that doesn’t change often should be included using a mechanism which won’t try to interpret it. Specifically, <%@ include file=”…” %>, which includes the file in the JSP servlet translation phase (i.e. it happens once), should be used instead of <jsp:include page=”…” />
, which includes the page on the file, when the content is being served to the user.
HTML comments should be removed
HTML comments should be removed
ts in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that’s left in a page could easily (and has) inadvertently expose:
Version numbers and host names
Full, server-side path names
Sensitive user data
Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.
Labels should be defined in the resource bundle
Labels should be defined in the resource bundle
Web applications can be made available in multiple languages through the use of internationalization. This allows the server to plug in the correct version of a piece of text based on the language chosen, but it requires that internationalization messages be used instead of hard-coded text.
Links with identical texts should have identical targets
Links with identical texts should have identical targets
When links with different targets are given identical link text, this can produce confusion for users of assistive technologies, some of which provide users the ability to view a list of all links on the page.
When this list of links is presented to the user they may be left not knowing the links go to different destinations.
Even if they do realize the links go to different destinations, they may be left not knowing which link to follow to go to the destination they desire.
Favicons should be used in all pages
Favicons should be used in all pages
Favicons are shown for example in the browser’s address bar, bookmark list, or tabs.
They enable users to quickly identify and recognize websites.
Mouse events should have corresponding keyboard events
Mouse events should have corresponding keyboard events
Offering the same experience with the mouse and the keyboard allow users to pick their preferred devices.
Additionally, users of assistive technology will also be able to browse the site even if they cannot use the mouse.
This rule raises an issue when:
an HTML element with an `onMouseover attribute doesn’t also have an onFocus attribute.
an HTML element with an onMouseout attribute doesn’t also have an onBlur attribute.
an HTML element with an onClick attribute doesn’t also have one of the following attributes: onKeyDown, onKeyUp, onKeyPress.
Note that in the case of onClick`, the equivalent keyboard handler should support both the “Enter” and “Space” keys as these are usually used by screen-readers.
Unescaped JSON data should not be written to the output
Unescaped JSON data should not be written to the output
In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that’s submitted to an application. You should also escape any content sent to the user so that any malicious code that may have escaped your input screening is neutralized. Specifically, the characters crucial to forming HTML (`&, <, >, ”, ’, and /) must be escaped.
This rule checks that values are not written directly into application/json` blocks or JavaScript variables.
Unused values should not be calculated
Unused values should not be calculated
Calculating or retrieving a value only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it’s not an error, it is at best a waste of resources. Therefore all calculated values should be used.
Multiple page directives should not be used
Multiple page directives should not be used
While you can use as many page
directives as you like, it is more readable to set multiple page attributes in a single directive.
The exception to this rule is when multiple packages are being imported. In that case, imports may be done in separate directives and all other attributes should be set in a single, additional directive.
Attributes deprecated in HTML5 should not be used
Attributes deprecated in HTML5 should not be used
HTML5 is the fifth and current major version of HTML. HTML5 introduced many new elements, attributes, and behaviors. While HTML5 also aimed to be backward-compatible with common parsing of older versions of HTML, many old attributes were deprecated.
The main reason these attributes were deprecated in HTML5 is to separate the concerns of content structure (HTML) and presentation (CSS). This is a fundamental principle of modern web design known as the separation of concerns, which provides multiple advantages:
Maintainability: By separating content and presentation, you can change the look and feel of a website without touching the HTML. You only need to modify the CSS.
Reusability: CSS styles can be reused across multiple pages, making it easier to keep a consistent look and feel across an entire website.
Accessibility: Using CSS for presentation makes it easier to create websites that are accessible to users with disabilities. For example, screen readers can more easily interpret web content when it’s separated from the presentation.
White space should be used in JSP/JSF tags
White space should be used in JSP/JSF tags
Authorizing an opened window to access back to the originating window is security-sensitive
Authorizing an opened window to access back to the originating window is security-sensitive
Track lack of copyright and license headers
Track lack of copyright and license headers
Each source file should start with a header stating file ownership and the license which must be used to distribute the application.
This rule must be fed with the header text that is expected at the beginning of every file.
Track uses of TODO tags
Track uses of TODO tags
Using remote artifacts without integrity checks is security-sensitive
Using remote artifacts without integrity checks is security-sensitive
Using remote artifacts without integrity checks can lead to the unexpected execution of malicious code in the application.
On the client side, where front-end code is executed, malicious code could:
impersonate users’ identities and take advantage of their privileges on the application.
add quiet malware that monitors users’ session and capture sensitive secrets.
gain access to sensitive clients’ personal data.
deface, or otherwise affect the general availability of the application.
mine cryptocurrencies in the background.
Likewise, a compromised software piece that would be deployed on a server-side application could badly affect the application’s security. For example, server-side malware could:
access and modify sensitive technical and business data.
elevate its privileges on the underlying operating system.
Use the compromised application as a pivot to attack the local network.
By ensuring that a remote artifact is exactly what it is supposed to be before using it, the application is protected from unexpected changes applied to it before it is downloaded. Especially, integrity checks will allow for identifying an artifact replaced by malware on the publication website or that was legitimately changed by its author, in a more benign scenario.
Important note: downloading an artifact over HTTPS only protects it while in transit from one host to another. It provides authenticity and integrity checks for the network stream only. It does not ensure the authenticity or security of the artifact itself.