Please follow this template to help us specify this new rule:
The rule should ensure that from tags in HTML, CSHTML, etc. has a method attribute with a valid HTTP verb.
The problem that can occur if this is not done is the default method for for a form is a GET, that means the form data is concatenated into a query string and sent to the server. As a result, PPI could then be stored in analytics tools like Google Analytics, a potential breach of GDPR.
Non compliant code:
<form> ... </form>
<form method="POST"> ... </form>
- external references and/or language specifications
- W3 language spec shows GET is the default Forms in HTML documents (w3.org)
- type : Vulnerability, Security Hotspot
- tags: html
We want to add as many valuable rules as possible. Thus we have guidelines to help us see the value of a rule and decide if it should be implemented. Please read them before submitting your rule:
- Is the rule useful for a developer.
- If the rule is a Bug, Code Smell or Vulnerability it should ask the developer to fix a real problem. It shouldn’t raise warnings asking for a manual review.
- If the rule is a Security Hotspot, it should ask the developer to review a security sensitive piece of code. It should raise a reasonable number of issues so that developers don’t feel overwhelmed. The goal in this case is to guide code reviews.
- Does the rule describe enough exceptions, i.e. code on which the rule doesn’t apply? Rules should avoid False Positives even if it creates some blind spots, otherwise developers will stop using SonarQube/SonarCloud/SonarLint. You can check this by looking at open-source projects.
- We put a higher priority on rules valuable to every developer. For example we avoid adding more style rules as each style guide is different.
- We avoid bug rules which raise on syntax errors. There is little value in duplicating compilers’ behavior.
Don’t hesitate to share rule ideas. Even when they don’t match our guidelines it might make somebody else think of an alternative rule.