Basic JSP

Rules concerning basic JSP guidelines.

NoLongScripts

Since: PMD 3.6

Scripts should be part of Tag Libraries, rather than part of JSP pages.

					 
// Element [ upper-case(@Name)="SCRIPT" and (@EndLine - @BeginLine > 10) ]
				
				
Example(s):
			
<HTML>
<BODY>
<!--Java Script-->
<SCRIPT language="JavaScript" type="text/javascript">
<!--
function calcDays(){
  var date1 = document.getElementById('d1').lastChild.data;
  var date2 = document.getElementById('d2').lastChild.data;
  date1 = date1.split("-");
  date2 = date2.split("-");
  var sDate = new Date(date1[0]+"/"+date1[1]+"/"+date1[2]);
  var eDate = new Date(date2[0]+"/"+date2[1]+"/"+date2[2]);
  var daysApart = Math.abs(Math.round((sDate-eDate)/86400000));
  document.getElementById('diffDays').lastChild.data = daysApart;
}

onload=calcDays;
//-->
</SCRIPT>
</BODY>
</HTML>
			
		

NoScriptlets

Since: PMD 3.6

Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of JSP pages.

					
					//JspScriptlet
					|
					//Element[ upper-case(@Name)="JSP:SCRIPTLET" ]
					
				
Example(s):
			 
<HTML>
<HEAD>
<%
response.setHeader("Pragma", "No-cache");
%>
</HEAD>
	<BODY>
		<jsp:scriptlet>String title = "Hello world!";</jsp:scriptlet>
	</BODY>
</HTML>
					 
		

NoInlineStyleInformation

Since: PMD 3.6

Style information should be put in CSS files, not in JSPs. Therefore, don't use <B> or <FONT> tags, or attributes like "align='center'".

This rule is defined by the following Java class:net.sourceforge.pmd.lang.jsp.rule.basic.NoInlineStyleInformationRule

Example(s):
			
<html><body><p align='center'><b>text</b></p></body></html>
			
		

NoClassAttribute

Since: PMD 3.6

Do not use an attribute called 'class'. Use "styleclass" for CSS styles.

					 //Attribute[ upper-case(@Name)="CLASS" ]  
				
Example(s):
			
<HTML> <BODY>
<P class="MajorHeading">Some text</P>
</BODY> </HTML>
			
		

NoJspForward

Since: PMD 3.6

Do not do a forward from within a JSP file.

					 //Element[ @Name="jsp:forward" ]  
				
Example(s):
			
<jsp:forward page='UnderConstruction.jsp'/>
			
		

IframeMissingSrcAttribute

Since: PMD 3.6

IFrames which are missing a src element can cause security information popups in IE if you are accessing the page through SSL. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q261188

					 
	//Element[upper-case(@Name)="IFRAME"][count(Attribute[upper-case(@Name)="SRC" ]) = 0]
					 
				
Example(s):
			
<HTML><title>bad example><BODY>
<iframe></iframe>
</BODY> </HTML>

<HTML><title>good example><BODY>
<iframe src="foo"></iframe>
</BODY> </HTML>
			
		

NoHtmlComments

Since: PMD 3.6

In a production system, HTML comments increase the payload between the application server to the client, and serve little other purpose. Consider switching to JSP comments.

					 
	//CommentTag
					 
				
Example(s):
			
<HTML><title>bad example><BODY>
<!-- HTML comment -->
</BODY> </HTML>

<HTML><title>good example><BODY>
<%-- JSP comment --%>
</BODY> </HTML>
			
		

DuplicateJspImports

Since: PMD 3.7

Avoid duplicate import statements inside JSP's.

This rule is defined by the following Java class:net.sourceforge.pmd.lang.jsp.rule.basic.DuplicateJspImportsRule

Example(s):
			 
<%@ page import=\"com.foo.MyClass,com.foo.MyClass\"%><html><body><b><img src=\"<%=Some.get()%>/foo\">xx</img>text</b></body></html>
			 
		

JspEncoding

Since: PMD

A missing 'meta' tag or page directive will trigger this rule, as well as a non-UTF-8 charset.

					
//Content[
not(Element[@Name="meta"][
   Attribute[@Name="content"]/AttributeValue[contains(lower-case(@Image),"charset=utf-8")]
]) 
and 
    not(JspDirective[@Name='page']/JspDirectiveAttribute[@Name='contentType'][contains(lower-case(@Value),"charset=utf-8")])
]
                    
				
Example(s):
			
                Most browsers should be able to interpret the following headers:
                
                <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
                    
                <meta http-equiv="Content-Type"  content="text/html; charset=UTF-8" />
            
		

NoInlineScript

Since: PMD

Avoid inlining HTML script content. Consider externalizing the HTML script using the 'src' attribute on the <script> element. Externalized script could be reused between pages. Browsers can also cache the script, reducing overall download bandwidth.

                    
//HtmlScript[@Image != '']
                    
                
Example(s):
            
                Most browsers should be able to interpret the following headers:
                
                <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
                    
                <meta http-equiv="Content-Type"  content="text/html; charset=UTF-8" />