Ensure a method attribute is on a form tag in html

Please follow this template to help us specify this new rule:
The rule should ensure that from tags in HTML, CSHTML, etc. has a method attribute with a valid HTTP verb.
The problem that can occur if this is not done is the default method for for a form is a GET, that means the form data is concatenated into a query string and sent to the server. As a result, PPI could then be stored in analytics tools like Google Analytics, a potential breach of GDPR.

Non compliant code:


Compliant code:

<form method="POST"> 
  • external references and/or language specifications
  • type : Vulnerability, Security Hotspot
  • tags: html

We want to add as many valuable rules as possible. Thus we have guidelines to help us see the value of a rule and decide if it should be implemented. Please read them before submitting your rule:

  • Is the rule useful for a developer.
    • If the rule is a Bug, Code Smell or Vulnerability it should ask the developer to fix a real problem. It shouldn’t raise warnings asking for a manual review.
    • If the rule is a Security Hotspot, it should ask the developer to review a security sensitive piece of code. It should raise a reasonable number of issues so that developers don’t feel overwhelmed. The goal in this case is to guide code reviews.
  • Does the rule describe enough exceptions, i.e. code on which the rule doesn’t apply? Rules should avoid False Positives even if it creates some blind spots, otherwise developers will stop using SonarQube/SonarCloud/SonarLint. You can check this by looking at open-source projects.
  • We put a higher priority on rules valuable to every developer. For example we avoid adding more style rules as each style guide is different.
  • We avoid bug rules which raise on syntax errors. There is little value in duplicating compilers’ behavior.

Don’t hesitate to share rule ideas. Even when they don’t match our guidelines it might make somebody else think of an alternative rule.

Hello @Carpentweet, welcome to our community.

Thank you for the suggestion, it indeed looks like a valid use-case to me. We will discuss it internally and let you know if creating this rule fits on our roadmap.



1 Like

Hi Gyula,

Is there any update on whether this will be added to the roadmap? Internally there have been requests to follow up on this so we can close the loop.


Hello Ashley,

While I cannot give you an exact timeline, we have commited ourselves to implement this rule in the coming months. You can monitor its status in the following ticket: [SONARHTML-146] S???? - Ensure form tags have a method attribute - SonarSource

Thank you for the nice suggestion!


Hi Gyula,

That’s perfect, exactly the information I was after.

Thanks very much,