Edit me

List of rulesets and rules contained in each ruleset.

  • Best Practices: Rules which enforce generally accepted best practices.
  • Codestyle: Rules which enforce a specific coding style.
  • Design: Rules that help you discover design issues.
  • Error Prone: Rules to detect constructs that are either broken, extremely confusing or prone to runtime errors.
  • Security: Rules that flag potential security flaws.

Best Practices

  • DontNestJsfInJstlIteration: Do not nest JSF component custom actions inside a custom action that iterates over its body.
  • NoClassAttribute: Do not use an attribute called ‘class’. Use “styleclass” for CSS styles.
  • NoHtmlComments: In a production system, HTML comments increase the payloadbetween the application server to the c…
  • NoJspForward: Do not do a forward from within a JSP file.



  • NoInlineScript: Avoid inlining HTML script content. Consider externalizing the HTML script using the ‘src’ attri…
  • NoInlineStyleInformation: Style information should be put in CSS files, not in JSPs. Therefore, don’t use or tags...
  • NoLongScripts: Scripts should be part of Tag Libraries, rather than part of JSP pages.
  • NoScriptlets: Scriptlets should be factored into Tag Libraries or JSP declarations, rather than being part of J…

Error Prone

  • JspEncoding: A missing ‘meta’ tag or page directive will trigger this rule, as well as a non-UTF-8 charset.


  • IframeMissingSrcAttribute: IFrames which are missing a src element can cause security information popups in IE if you are ac…
  • NoUnsanitizedJSPExpression: Avoid using expressions without escaping / sanitizing. This could lead to cross site scripting - …