JavaScript Scan rules
Contrast Scan supports these rules for JavaScript.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Improper Certificate Validation | OPT.JAVASCRIPT.ImproperCertificateValidation | ImproperCertificateValidation: Improper Certificate Validation |
Critical | Too Much Origins Allowed | OPT.JAVASCRIPT.TooMuchOriginsAllowed | TooMuchOriginsAllowed: CORS policy (Cross-origin resource sharing) too broad |
Critical | Contextual Escaping Disabled | OPT.JAVASCRIPT.ANGULARJS.ContextualEscapingDisabled | ContextualEscapingDisabled: Strict Contextual Escaping (SCE) disabled |
Critical | Unsafe Resource Url Whitelist | OPT.JAVASCRIPT.ANGULARJS.UnsafeResourceUrlWhitelist | UnsafeResourceUrlWhitelist: Loading Angular templates insecurely |
Critical | Unsafe Url Whitelist | OPT.JAVASCRIPT.ANGULARJS.UnsafeUrlWhitelist | UnsafeUrlWhitelist: Unsafe URL whitelist |
Critical | Sandbox Allow Scripts And Same Origin | OPT.JAVASCRIPT.JSX.SandboxAllowScriptsAndSameOrigin | SandboxAllowScriptsAndSameOrigin: Unsafe sandbox with allow-scripts and allow-same-origin |
Critical | No Use Of Eval | OPT.JAVASCRIPT.PERFORMANCE.NoUseOfEval | NoUseOfEval: Do not use eval() function, for security and performance reasons |
Critical | Client Side Template Injection | OPT.JAVASCRIPT.ClientSideTemplateInjection | ClientSideTemplateInjection: Client-side Template Injection |
Critical | Code Injection | OPT.JAVASCRIPT.CodeInjection | CodeInjection: Improper Control of Generation of Code ('Code Injection') |
Critical | Code Injection With Deserialization | OPT.JAVASCRIPT.CodeInjectionWithDeserialization | CodeInjectionWithDeserialization: Dynamic code injection during object deserialization |
Critical | Command Injection | OPT.JAVASCRIPT.CommandInjection | CommandInjection: Avoid non-neutralized user-controlled input to be part of an OS command |
Critical | Connection String Parameter Pollution | OPT.JAVASCRIPT.ConnectionStringParameterPollution | ConnectionStringParameterPollution: Connection string polluted with untrusted input |
Critical | Cookie Poisoning | OPT.JAVASCRIPT.CookiePoisoning | CookiePoisoning: Cookie Poisoning |
Critical | Cross Site Scripting | OPT.JAVASCRIPT.CrossSiteScripting | CrossSiteScripting: Improper neutralization of input during web content generation (Cross-site Scripting, XSS) |
Critical | DoS Regexp | OPT.JAVASCRIPT.DoSRegexp | DoSRegexp: Potential denial-of-service attack through malicious regular expression (ReDoS) |
Critical | Http Parameter Pollution | OPT.JAVASCRIPT.HttpParameterPollution | HttpParameterPollution: HTTP parameter pollution (HPP) |
Critical | Ldap Injection | OPT.JAVASCRIPT.LdapInjection | LdapInjection: Avoid non-neutralized user-controlled input in LDAP search filters |
Critical | Mail Command Injection | OPT.JAVASCRIPT.MailCommandInjection | MailCommandInjection: Mail Command Injection |
Critical | No SQL Injection | OPT.JAVASCRIPT.NoSQLInjection | NoSQLInjection: Improper neutralization of special elements in data query logic (NoSQL injection) |
Critical | Resource Injection | OPT.JAVASCRIPT.ResourceInjection | ResourceInjection: Do not allow external input to control resource identifiers |
Critical | Same Origin Method Execution | OPT.JAVASCRIPT.SameOriginMethodExecution | SameOriginMethodExecution: Same Origin Method Execution (SOME) |
Critical | Server Side Template Injection | OPT.JAVASCRIPT.ServerSideTemplateInjection | ServerSideTemplateInjection: Server-side Template Injection |
Critical | SQL Injection | OPT.JAVASCRIPT.SqlInjection | SqlInjection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Critical | Stored Cross Site Scripting | OPT.JAVASCRIPT.StoredCrossSiteScripting | StoredCrossSiteScripting: Web content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS) |
Critical | Xml Entity Injection | OPT.JAVASCRIPT.XmlEntityInjection | XmlEntityInjection: XML entity injection |
Critical | Angular Cross Site Scripting | OPT.JAVASCRIPT.ANGULARJS.AngularCrossSiteScripting | AngularCrossSiteScripting: Improper neutralization of input during web content generation (Cross-site Scripting, XSS) - AngularJS |
Critical | Vue Html Escape Disabled | OPT.JAVASCRIPT.VUE.VueHtmlEscapeDisabled | VueHtmlEscapeDisabled: Vue HTML escaping is disabled. |
Critical | Avoid Assignment In Condition | OPT.JAVASCRIPT.ERRORCOMUN.AvoidAssignmentInCondition | AvoidAssignmentInCondition: Avoid assignments into conditional statements |
Critical | Avoid Loop With Empty Body | OPT.JAVASCRIPT.ERRORCOMUN.AvoidLoopWithEmptyBody | AvoidLoopWithEmptyBody: Avoid loops (while, do/while, for) with empty body |
Critical | Avoid Unary Ops In Assign | OPT.JAVASCRIPT.ERRORCOMUN.AvoidUnaryOpsInAssign | AvoidUnaryOpsInAssign: Avoid errors in the increment or decrement of a variable |
Critical | No Update Loop Vars In For Body | OPT.JAVASCRIPT.ERRORCOMUN.NoUpdateLoopVarsInForBody | NoUpdateLoopVarsInForBody: Do not update control vars in 'for' loop body |
Critical | Avoid Big Files | OPT.JAVASCRIPT.ESTILO.AvoidBigFiles | AvoidBigFiles: Avoid too big JavaScript files |
Critical | Avoid Large Functions | OPT.JAVASCRIPT.ESTILO.AvoidLargeFunctions | AvoidLargeFunctions: Avoid functions with excessive number of lines |
Critical | Avoid Popup Windows | OPT.JAVASCRIPT.ESTILO.AvoidPopupWindows | AvoidPopupWindows: Avoid popup windows |
Critical | Avoid Document All | OPT.JAVASCRIPT.PORTABILITY.AvoidDocumentAll | AvoidDocumentAll: Do not use document.all or document.layers |
Critical | Avoid Overwriting Builtin Objects | OPT.JAVASCRIPT.AvoidOverwritingBuiltinObjects | AvoidOverwritingBuiltinObjects: Avoid overwriting JavaScript built-in objects |
Critical | Path Manipulation | OPT.JAVASCRIPT.PathManipulation | PathManipulation: External Control of File Name or Path |
Critical | Avoid Cyclic Dependencies | OPT.JAVASCRIPT.NODEJS.AvoidCyclicDependencies | AvoidCyclicDependencies: Avoid cyclic dependencies between modules |
Critical | Avoid Using Process Exit | OPT.JAVASCRIPT.NODEJS.AvoidUsingProcessExit | AvoidUsingProcessExit: Avoid using process.exit() |
Critical | Avoid Dom Manipulation In Controllers | OPT.JAVASCRIPT.ANGULARJS.AvoidDomManipulationInControllers | AvoidDomManipulationInControllers: Avoid DOM manipulation in controllers |
Critical | Bind Objects In Scope | OPT.JAVASCRIPT.ANGULARJS.BindObjectsInScope | BindObjectsInScope: Bind to objects in scope, instead of binding to properties |
Critical | Deprecated Directive Format | OPT.JAVASCRIPT.ANGULARJS.DeprecatedDirectiveFormat | DeprecatedDirectiveFormat: Avoid deprecated directive formats |
Critical | Never Store Dom In Scope | OPT.JAVASCRIPT.ANGULARJS.NeverStoreDomInScope | NeverStoreDomInScope: Never store DOM elements in scope |
Critical | Private Property Access | OPT.JAVASCRIPT.ANGULARJS.PrivatePropertyAccess | PrivatePropertyAccess: Do not access private properties of AngularJS objects |
Critical | Unsafe Minification Annotation | OPT.JAVASCRIPT.ANGULARJS.UnsafeMinificationAnnotation | UnsafeMinificationAnnotation: Use minification-safe annotations in dependency injection |
Critical | Use Controller As Syntax In Views | OPT.JAVASCRIPT.ANGULARJS.UseControllerAsSyntaxInViews | UseControllerAsSyntaxInViews: Use "controller as" syntax in views |
Critical | Watch Collection Change | OPT.JAVASCRIPT.ANGULARJS.WatchCollectionChange | WatchCollectionChange: Use $watchCollection instead of $watch with three parameters |
Critical | Too Broad Access Origin | OPT.JAVASCRIPT.CORDOVA.TooBroadAccessOrigin | TooBroadAccessOrigin: Access policy too broad |
Critical | Vue Component Data Must Be Function | OPT.JAVASCRIPT.VUE.VueComponentDataMustBeFunction | VueComponentDataMustBeFunction: Component data must be a function. |
Critical | Missing Password Field Masking | OPT.JAVASCRIPT.JSX.MissingPasswordFieldMasking | MissingPasswordFieldMasking: Password input field is not masked |
High | Clickjacking Protection | OPT.JAVASCRIPT.ClickjackingProtection | ClickjackingProtection: No clickjacking protection configured |
High | Plaintext Storage In A Cookie | OPT.JAVASCRIPT.PlaintextStorageInACookie | PlaintextStorageInACookie: Cleartext Storage of Sensitive Information in a Cookie |
High | Use Strict Transport Security | OPT.JAVASCRIPT.UseStrictTransportSecurity | UseStrictTransportSecurity: Use HTTP Strict Transport Security |
High | Xss Protection Disabled | OPT.JAVASCRIPT.XssProtectionDisabled | XssProtectionDisabled: Cross-site scripting protection disabled |
High | Avoid Enabled Debug Mode | OPT.JAVASCRIPT.CORDOVA.AvoidEnabledDebugMode | AvoidEnabledDebugMode: Debug logs enabled |
High | Insecure Android Min Sdk Version | OPT.JAVASCRIPT.CORDOVA.InsecureAndroidMinSdkVersion | InsecureAndroidMinSdkVersion: Android SDK version too old |
High | Whitelist Plugin Not Installed | OPT.JAVASCRIPT.CORDOVA.WhitelistPluginNotInstalled | WhitelistPluginNotInstalled: Whitelist plugin not installed |
High | Cross Site Request Forgery | OPT.JAVASCRIPT.CrossSiteRequestForgery | CrossSiteRequestForgery: Execution of an action on user behalf in a previously authenticated web site (cross-site request forgery, CSRF) |
High | External Control Of Configuration Setting | OPT.JAVASCRIPT.ExternalControlOfConfigurationSetting | ExternalControlOfConfigurationSetting: External Control of System or Configuration Setting |
High | Header Manipulation | OPT.JAVASCRIPT.HeaderManipulation | HeaderManipulation: Unvalidated data in HTTP response header or in cookies ('HTTP Response Splitting') |
High | Open Redirect | OPT.JAVASCRIPT.OpenRedirect | OpenRedirect: URL Redirection to Untrusted Site ('Open Redirect') |
High | Open Redirect Hana XS | OPT.JAVASCRIPT.OpenRedirectHanaXS | OpenRedirectHanaXS: Open Redirect (HANA XS) |
High | Server Side Request Forgery | OPT.JAVASCRIPT.ServerSideRequestForgery | ServerSideRequestForgery: Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF) |
High | XPath Injection | OPT.JAVASCRIPT.XPathInjection | XPathInjection: Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
High | Target Blank Vulnerability | OPT.JAVASCRIPT.JSX.TargetBlankVulnerability | TargetBlankVulnerability: Improper Neutralization of links to external sites |
High | Avoid Empty Functions | OPT.JAVASCRIPT.ERRORCOMUN.AvoidEmptyFunctions | AvoidEmptyFunctions: Avoid top-level functions with empty body |
High | Many Cases | OPT.JAVASCRIPT.ERRORCOMUN.ManyCases | ManyCases: Avoid too many choices in switch structures |
High | Potential Infinite Loop | OPT.JAVASCRIPT.ERRORCOMUN.PotentialInfiniteLoop | PotentialInfiniteLoop: Potential infinite loops |
High | Unused Function Parameter | OPT.JAVASCRIPT.ERRORCOMUN.UnusedFunctionParameter | UnusedFunctionParameter: Avoid unused function parameters |
High | Unused Local Var | OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar | UnusedLocalVar: Avoid unused local variable |
High | Avoid Conditional Operator | OPT.JAVASCRIPT.ESTILO.AvoidConditionalOperator | AvoidConditionalOperator: Do not use ? ternary operator to evaluate conditions |
High | Avoid Declaring Vars Without Var | OPT.JAVASCRIPT.ESTILO.AvoidDeclaringVarsWithoutVar | AvoidDeclaringVarsWithoutVar: Define variables with var |
High | Avoid Using With | OPT.JAVASCRIPT.ESTILO.AvoidUsingWith | AvoidUsingWith: Avoid using 'with' statement |
High | End Sentences With Semicolon | OPT.JAVASCRIPT.ESTILO.EndSentencesWithSemicolon | EndSentencesWithSemicolon: Avoid statements without semicolon |
High | Avoid Non Portable Methods | OPT.JAVASCRIPT.PORTABILITY.AvoidNonPortableMethods | AvoidNonPortableMethods: Non-portable function check |
High | No Navigator For Browser Detection | OPT.JAVASCRIPT.PORTABILITY.NoNavigatorForBrowserDetection | NoNavigatorForBrowserDetection: Avoid using navigator.userAgent ('browser detecting') for writing portable code |
High | Avoid Accesing Unreliable Variable Properties | OPT.JAVASCRIPT.AvoidAccesingUnreliableVariableProperties | AvoidAccesingUnreliableVariableProperties: Avoid accessing unreliable variable properties |
High | Avoid Calling Too Many Other Components | OPT.JAVASCRIPT.AvoidCallingTooManyOtherComponents | AvoidCallingTooManyOtherComponents: Avoid using components calling too many other components |
High | Avoid Misuse Of Delete | OPT.JAVASCRIPT.AvoidMisuseOfDelete | AvoidMisuseOfDelete: Delete operator can be only properly used with object properties |
High | Avoid Named Functions | OPT.JAVASCRIPT.AvoidNamedFunctions | AvoidNamedFunctions: Avoid defining functions in conditional blocks |
High | Avoid Object Instantiation Into Loops | OPT.JAVASCRIPT.AvoidObjectInstantiationIntoLoops | AvoidObjectInstantiationIntoLoops: Avoid object instantiation into loops |
High | Avoid Too Complex Functions | OPT.JAVASCRIPT.AvoidTooComplexFunctions | AvoidTooComplexFunctions: Avoid using methods with high cyclomatic complexity values |
High | Avoid Too Complex Programs | OPT.JAVASCRIPT.AvoidTooComplexPrograms | AvoidTooComplexPrograms: Avoid using classes with high cyclomatic complexity values |
High | Avoid Using Unary Operators With Objects | OPT.JAVASCRIPT.AvoidUsingUnaryOperatorsWithObjects | AvoidUsingUnaryOperatorsWithObjects: Avoid using the + and - unary operators with objects |
High | Duplicated Name For Function And Variable | OPT.JAVASCRIPT.DuplicatedNameForFunctionAndVariable | DuplicatedNameForFunctionAndVariable: Avoid declaring a function with the same name of a variable |
High | Function Arguments Uniqueness | OPT.JAVASCRIPT.FunctionArgumentsUniqueness | FunctionArgumentsUniqueness: Avoid duplicated argument names in function declarations |
High | I E Conditional Comments | OPT.JAVASCRIPT.IEConditionalComments | IEConditionalComments: Avoid using Internet Explorer conditional comments |
High | Nested If Statements | OPT.JAVASCRIPT.NestedIfStatements | NestedIfStatements: Avoid a high number of nested ifs |
High | Property Names Uniqueness | OPT.JAVASCRIPT.PropertyNamesUniqueness | PropertyNamesUniqueness: Avoid duplicating property names in object literals |
High | Unhandled Promise | OPT.JAVASCRIPT.UnhandledPromise | UnhandledPromise: Handle function returned promises |
High | Variable Redeclaration | OPT.JAVASCRIPT.VariableRedeclaration | VariableRedeclaration: Avoid declaring a variable with a name that is already used |
High | Avoid Too Much Nested Callbacks | OPT.JAVASCRIPT.NODEJS.AvoidTooMuchNestedCallbacks | AvoidTooMuchNestedCallbacks: Avoid using too many nested callbacks |
High | Avoid Using Default Connection Limit | OPT.JAVASCRIPT.NODEJS.AvoidUsingDefaultConnectionLimit | AvoidUsingDefaultConnectionLimit: Avoid using the default connections limit |
High | Validate Package Json | OPT.JAVASCRIPT.NODEJS.ValidatePackageJson | ValidatePackageJson: Avoid specifying dependencies versions with the * wildcard |
High | Require Modules At The Begin | OPT.JAVASCRIPT.RequireModulesAtTheBegin | RequireModulesAtTheBegin: Always require modules at the top of the file |
High | Avoid Complex Expressions In Html | OPT.JAVASCRIPT.ANGULARJS.AvoidComplexExpressionsInHtml | AvoidComplexExpressionsInHtml: Avoid complex AngularJS expressions in HTML |
High | Avoid Root Scope Event Listeners In Controllers | OPT.JAVASCRIPT.ANGULARJS.AvoidRootScopeEventListenersInControllers | AvoidRootScopeEventListenersInControllers: Avoid registering event listeners on the $rootScope in controllers |
High | Deprecated Http Functions | OPT.JAVASCRIPT.ANGULARJS.DeprecatedHttpFunctions | DeprecatedHttpFunctions: Do not use deprecated $http functions |
High | Ng Src When Using Expressions | OPT.JAVASCRIPT.ANGULARJS.NgSrcWhenUsingExpressions | NgSrcWhenUsingExpressions: Always use ng-src for images when including an AngularJS expression |
High | Prevent Component Name Collision | OPT.JAVASCRIPT.ANGULARJS.PreventComponentNameCollision | PreventComponentNameCollision: Prevent name collision in AngularJS component definition |
High | Resolve Controller Dependencies In Route | OPT.JAVASCRIPT.ANGULARJS.ResolveControllerDependenciesInRoute | ResolveControllerDependenciesInRoute: Resolve controller dependencies in routing |
High | Restrict Directives Element Attribute | OPT.JAVASCRIPT.ANGULARJS.RestrictDirectivesElementAttribute | RestrictDirectivesElementAttribute: Restrict directives to elements and attributes |
High | Use Named Functions For Components | OPT.JAVASCRIPT.ANGULARJS.UseNamedFunctionsForComponents | UseNamedFunctionsForComponents: Use named functions instead of callbacks for components |
High | Avoid Annotating Inferable Types | OPT.JAVASCRIPT.TYPESCRIPT.AvoidAnnotatingInferableTypes | AvoidAnnotatingInferableTypes: Avoid using type annotations for inferable primitive types |
High | No Empty Interface | OPT.JAVASCRIPT.TYPESCRIPT.NoEmptyInterface | NoEmptyInterface: Avoid using empty interfaces |
High | Prefer Read Only | OPT.JAVASCRIPT.TYPESCRIPT.PreferReadOnly | PreferReadOnly: Use readonly when property is never reasigned |
High | Skip Internal Module Or Namespace | OPT.JAVASCRIPT.TYPESCRIPT.SkipInternalModuleOrNamespace | SkipInternalModuleOrNamespace: Use ES2015 module syntax |
High | Useless Type Cast | OPT.JAVASCRIPT.TYPESCRIPT.UselessTypeCast | UselessTypeCast: Avoid useless type castings |
High | Useless Type Intersection | OPT.JAVASCRIPT.TYPESCRIPT.UselessTypeIntersection | UselessTypeIntersection: Avoid useless type intersection |
High | Use Type Annotations | OPT.JAVASCRIPT.TYPESCRIPT.UseTypeAnnotations | UseTypeAnnotations: Use TypeScript typing system |
High | Avoid Forward Refs | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.AvoidForwardRefs | AvoidForwardRefs: Avoid using the forwardRef function |
High | Avoid Impure Pipes | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.AvoidImpurePipes | AvoidImpurePipes: Avoid impure Pipes |
High | Avoid Template Async Negation | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.AvoidTemplateAsyncNegation | AvoidTemplateAsyncNegation: Incorrect Async Pipe usage in templates. |
High | Decorator Incompatibility | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.DecoratorIncompatibility | DecoratorIncompatibility: Avoid using decorators with incompatibilities between them |
High | Use Host Decorator | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseHostDecorator | UseHostDecorator: Use @Host decorator instead of host metadata property |
High | Use Injectable Decorator | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseInjectableDecorator | UseInjectableDecorator: Use @Injectable class decorator instead of the @Inject parameter decorator |
High | Use Input Decorator | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseInputDecorator | UseInputDecorator: Use @Input decorator instead of inputs metadata property |
High | Use Output Decorator | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseOutputDecorator | UseOutputDecorator: Use @Output decorator instead of inputs metadata property |
High | Use Track By | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseTrackBy | UseTrackBy: Use trackBy along with ngFor |
High | Avoid Click Events | OPT.JAVASCRIPT.CORDOVA.AvoidClickEvents | AvoidClickEvents: Avoid using click events in Cordova. |
High | Vue For Without Key | OPT.JAVASCRIPT.VUE.VueForWithoutKey | VueForWithoutKey: Always use key with v-for. |
High | Vue If With For Directive | OPT.JAVASCRIPT.VUE.VueIfWithForDirective | VueIfWithForDirective: Never use v-if on the same element as v-for. |
High | Avoid Web SQL | OPT.JAVASCRIPT.AvoidWebSQL | AvoidWebSQL: Avoid Web SQL |
High | Empty Or Hardcoded Password | OPT.JAVASCRIPT.EmptyOrHardcodedPassword | EmptyOrHardcodedPassword: Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied |
High | Prevent MIME Sniffing | OPT.JAVASCRIPT.PreventMIMESniffing | PreventMIMESniffing: Prevent MIME sniffing |
High | Angular Local Storage Information Leak | OPT.JAVASCRIPT.ANGULARJS.AngularLocalStorageInformationLeak | AngularLocalStorageInformationLeak: AngularJS local storage information leakage |
High | Hardcoded Crypto Key | OPT.JAVASCRIPT.HardcodedCryptoKey | HardcodedCryptoKey: Hardcoded cryptographic keys |
High | Insecure Transport | OPT.JAVASCRIPT.InsecureTransport | InsecureTransport: Insecure transport |
High | Insuficient Key Size | OPT.JAVASCRIPT.InsuficientKeySize | InsuficientKeySize: An otherwise strong encryption algorithm is vulnerable to brute force attack when a small key size is used |
High | Server Insecure Transport | OPT.JAVASCRIPT.ServerInsecureTransport | ServerInsecureTransport: Insecure transport in Node.js HTTP servers |
High | Weak Cryptographic Hash | OPT.JAVASCRIPT.WeakCryptographicHash | WeakCryptographicHash: Weak cryptographic hash |
High | Weak Encryption | OPT.JAVASCRIPT.WeakEncryption | WeakEncryption: Weak symmetric encryption algorithm |
Info | Code Document Percentage | OPT.JAVASCRIPT.DOCUMENTACION.CodeDocumentPercentage | CodeDocumentPercentage: Document the code |
Info | Document Every Function | OPT.JAVASCRIPT.DOCUMENTACION.DocumentEveryFunction | DocumentEveryFunction: Insert heading comments before every top-level function |
Info | Function Redeclaration | OPT.JAVASCRIPT.FunctionRedeclaration | FunctionRedeclaration: Avoid duplicated function names in same scope |
Info | Multiline String Literals | OPT.JAVASCRIPT.MultilineStringLiterals | MultilineStringLiterals: Avoid splitting an string literal in multiple lines using '\' character |
Info | Avoid Using Process Env | OPT.JAVASCRIPT.NODEJS.AvoidUsingProcessEnv | AvoidUsingProcessEnv: Avoid using process.env() |
Info | Module Definition And Use | OPT.JAVASCRIPT.ANGULARJS.ModuleDefinitionAndUse | ModuleDefinitionAndUse: Declare and access modules using setter/getter syntax without creating a variable |
Low | Form Without Captcha | OPT.JAVASCRIPT.JSX.FormWithoutCaptcha | FormWithoutCaptcha: Form without CAPTCHA |
Low | Use Space Between Operators | OPT.JAVASCRIPT.ESTILO.UseSpaceBetweenOperators | UseSpaceBetweenOperators: Place whitespaces between logical operators and its operands |
Low | Global Var Pattern | OPT.JAVASCRIPT.JSNOM.GlobalVarPattern | GlobalVarPattern: Global vars should be avoided or must follow a naming pattern |
Low | Identifier Naming Pattern | OPT.JAVASCRIPT.JSNOM.IdentifierNamingPattern | IdentifierNamingPattern: Follow naming standards for JavaScript identifiers |
Low | Avoid Arguments | OPT.JAVASCRIPT.AvoidArguments | AvoidArguments: Do not use arguments object |
Low | Avoid Array And Object Constructors | OPT.JAVASCRIPT.AvoidArrayAndObjectConstructors | AvoidArrayAndObjectConstructors: Avoid using Array and Object constructors |
Low | Avoid Commented Out Code Blocks | OPT.JAVASCRIPT.AvoidCommentedOutCodeBlocks | AvoidCommentedOutCodeBlocks: Avoid commented out code blocks |
Low | Avoid Constructors For Side Effects | OPT.JAVASCRIPT.AvoidConstructorsForSideEffects | AvoidConstructorsForSideEffects: Avoid calling constructors without using its result |
Low | Avoid Function Definition Inside Loop | OPT.JAVASCRIPT.AvoidFunctionDefinitionInsideLoop | AvoidFunctionDefinitionInsideLoop: Do not declare functions inside loops |
Low | Avoid Octal Number | OPT.JAVASCRIPT.AvoidOctalNumber | AvoidOctalNumber: Avoid using octal numbers |
Low | Avoid Returning Values From Setters | OPT.JAVASCRIPT.AvoidReturningValuesFromSetters | AvoidReturningValuesFromSetters: Avoid returning a value from setters |
Low | Avoid Using Continue | OPT.JAVASCRIPT.AvoidUsingContinue | AvoidUsingContinue: Avoid using 'continue' statement |
Low | Avoid Using Debugger | OPT.JAVASCRIPT.AvoidUsingDebugger | AvoidUsingDebugger: Avoid using debugger statement |
Low | Break Non Empty Switch Clauses | OPT.JAVASCRIPT.BreakNonEmptySwitchClauses | BreakNonEmptySwitchClauses: Use break statement at the last statement of SwitchCase |
Low | Default Clause Switch Statements | OPT.JAVASCRIPT.DefaultClauseSwitchStatements | DefaultClauseSwitchStatements: Use default clause at the end of the switch statement |
Low | Else In Else If Statement | OPT.JAVASCRIPT.ElseInElseIfStatement | ElseInElseIfStatement: Else if statements should finish with an else clause |
Low | Filter For In | OPT.JAVASCRIPT.FilterForIn | FilterForIn: Filter the body of a for-in statement |
Low | Function Declarations Within Blocks | OPT.JAVASCRIPT.FunctionDeclarationsWithinBlocks | FunctionDeclarationsWithinBlocks: Do not use function declarations within blocks |
Low | Labeled Statements | OPT.JAVASCRIPT.LabeledStatements | LabeledStatements: Use labels only on for, while and do-while statements |
Low | One Statement Per Line | OPT.JAVASCRIPT.OneStatementPerLine | OneStatementPerLine: Use only one statement per line |
Low | Parent Class Doesnot Reference Child Classes | OPT.JAVASCRIPT.ParentClassDoesnotReferenceChildClasses | ParentClassDoesnotReferenceChildClasses: Parent class does not reference any of its child classes |
Low | Short Circuit If Statements | OPT.JAVASCRIPT.ShortCircuitIfStatements | ShortCircuitIfStatements: Merge nested if statements using a short-circuit operator |
Low | Too Many Break Or Continue In Loop | OPT.JAVASCRIPT.TooManyBreakOrContinueInLoop | TooManyBreakOrContinueInLoop: Avoid using more than one break or continue statement in each loop |
Low | Trailing Comma | OPT.JAVASCRIPT.TrailingComma | TrailingComma: Avoid using a comma at the end of the last element in the declaration of an array or object |
Low | Type Casting In Comparations | OPT.JAVASCRIPT.TypeCastingInComparations | TypeCastingInComparations: Avoid using logical comparators Code Quality [] {} |
Low | Unreachable Code | OPT.JAVASCRIPT.UnreachableCode | UnreachableCode: Return, break, continue or throw statements should be followed by a } or case or default statements |
Low | Use Single Quote | OPT.JAVASCRIPT.UseSingleQuote | UseSingleQuote: Avoid using single quotes in literals |
Low | Avoid Mixing Require | OPT.JAVASCRIPT.NODEJS.AvoidMixingRequire | AvoidMixingRequire: Avoid mixing require calls with variable initializations |
Low | Use Asynchronous Methods | OPT.JAVASCRIPT.UseAsynchronousMethods | UseAsynchronousMethods: Asynchronous methods give Node.js speed and robustness |
Low | Use J S Doc | OPT.JAVASCRIPT.UseJSDoc | UseJSDoc: Describe how the function works using JSDoc |
Low | Use Module Exports | OPT.JAVASCRIPT.UseModuleExports | UseModuleExports: Use module.exports instead of exports |
Low | Isolate Run Blocks | OPT.JAVASCRIPT.ANGULARJS.IsolateRunBlocks | IsolateRunBlocks: Isolate run blocks code |
Low | Avoid None View Encapsulation | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.AvoidNoneViewEncapsulation | AvoidNoneViewEncapsulation: Avoid applying component styles to the whole application |
Low | Avoid Prefixing Output | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.AvoidPrefixingOutput | AvoidPrefixingOutput: Avoid prefixing Output properties with "on" |
Low | Never Use History | OPT.JAVASCRIPT.ESTILO.NeverUseHistory | NeverUseHistory: Never use JavaScript 'history' object or navigation-based positioning functions |
Low | Hide Powered By Header | OPT.JAVASCRIPT.HidePoweredByHeader | HidePoweredByHeader: Deactivate X-Powered-By header |
Low | Password In Comments | OPT.JAVASCRIPT.PasswordInComments | PasswordInComments: Avoid hard-coded or in-comment passwords in code |
Low | Avoid Using Console For Debugging | OPT.JAVASCRIPT.NODEJS.AvoidUsingConsoleForDebugging | AvoidUsingConsoleForDebugging: Avoid using console.log() |
Medium | Unsafe Cookie | OPT.JAVASCRIPT.UnsafeCookie | UnsafeCookie: Generate server-side cookies with adequate security properties |
Medium | Avoid Overly Permissive Message Posting | OPT.JAVASCRIPT.AvoidOverlyPermissiveMessagePosting | AvoidOverlyPermissiveMessagePosting: Avoid post cross-document messages with an overly permissive target origin |
Medium | Trust Boundary Violation | OPT.JAVASCRIPT.TrustBoundaryViolation | TrustBoundaryViolation: Trust boundary violation |
Medium | Specify Integrity Attribute | OPT.JAVASCRIPT.JSX.SpecifyIntegrityAttribute | SpecifyIntegrityAttribute: Specify a integrity attribute on the <script> and <link> elements |
Medium | Javascript Url | OPT.JAVASCRIPT.REACT.JavascriptUrl | JavascriptUrl: Usage of javascript: URL in JSX. |
Medium | Avoid For With External Control Vars | OPT.JAVASCRIPT.ERRORCOMUN.AvoidForWithExternalControlVars | AvoidForWithExternalControlVars: Avoid 'for' loops where loop control vars are NOT declared in its initialization block |
Medium | If Without Block | OPT.JAVASCRIPT.ERRORCOMUN.IfWithoutBlock | IfWithoutBlock: Place body of if statements between braces |
Medium | Illegal Identifier | OPT.JAVASCRIPT.ERRORCOMUN.IllegalIdentifier | IllegalIdentifier: Avoid using identifiers not permitted (like reserved keywords) |
Medium | Avoid Alert With Literals | OPT.JAVASCRIPT.ESTILO.AvoidAlertWithLiterals | AvoidAlertWithLiterals: Do not use alert with literals |
Medium | Avoid Multiple Returns | OPT.JAVASCRIPT.ESTILO.AvoidMultipleReturns | AvoidMultipleReturns: Avoid functions with more than one return statement |
Medium | Check Parameters Number In Function | OPT.JAVASCRIPT.ESTILO.CheckParametersNumberInFunction | CheckParametersNumberInFunction: Avoid using functions with too many paramters |
Medium | No Style | OPT.JAVASCRIPT.ESTILO.NoStyle | NoStyle: Do not use style property directly, use CSS classes instead |
Medium | Avoid Long Calls In Iterations | OPT.JAVASCRIPT.PERFORMANCE.AvoidLongCallsInIterations | AvoidLongCallsInIterations: Avoid long call/reference chains in loops |
Medium | No Method Append Child | OPT.JAVASCRIPT.PERFORMANCE.NoMethodAppendChild | NoMethodAppendChild: Use innerHTML instead of DOM modification functions |
Medium | Old Use Of Document | OPT.JAVASCRIPT.PORTABILITY.OldUseOfDocument | OldUseOfDocument: Avoid using non W3C-compliant methods/properties of 'document' object |
Medium | Avoid Assigning Undefined | OPT.JAVASCRIPT.AvoidAssigningUndefined | AvoidAssigningUndefined: Avoid assigning undefined to a variable |
Medium | Avoid Comparing With Na N | OPT.JAVASCRIPT.AvoidComparingWithNaN | AvoidComparingWithNaN: Avoid comparing with NaN in conditional expressions |
Medium | Avoid Magic Numbers | OPT.JAVASCRIPT.AvoidMagicNumbers | AvoidMagicNumbers: Avoid using numeric literals |
Medium | Avoid Multiple Statements Per Line | OPT.JAVASCRIPT.AvoidMultipleStatementsPerLine | AvoidMultipleStatementsPerLine: Avoid specifying several statements into the same line |
Medium | Avoid Negative Content Lenght | OPT.JAVASCRIPT.AvoidNegativeContentLenght | AvoidNegativeContentLenght: The Content-Length header should not have a negative value |
Medium | Avoid Rebinding A Const Variable | OPT.JAVASCRIPT.AvoidRebindingAConstVariable | AvoidRebindingAConstVariable: Avoid rebinding a const variable |
Medium | Avoid Too Deep Class Hierarchies | OPT.JAVASCRIPT.AvoidTooDeepClassHierarchies | AvoidTooDeepClassHierarchies: Avoid too deep hierarchy classes |
Medium | Avoid Using Parse Int Without Radix | OPT.JAVASCRIPT.AvoidUsingParseIntWithoutRadix | AvoidUsingParseIntWithoutRadix: Always specify a radix when using parseInt |
Medium | Denial Of Service | OPT.JAVASCRIPT.DenialOfService | DenialOfService: An attacker could cause the program becomes unavailable to legitimate users |
Medium | Loop Without Block | OPT.JAVASCRIPT.LoopWithoutBlock | LoopWithoutBlock: Place loop body statements between braces |
Medium | Avoid Concatenating Dirname And Filename | OPT.JAVASCRIPT.NODEJS.AvoidConcatenatingDirnameAndFilename | AvoidConcatenatingDirnameAndFilename: Avoid concatenating __dirname and __filename with other strings |
Medium | Avoid Using New Require | OPT.JAVASCRIPT.NODEJS.AvoidUsingNewRequire | AvoidUsingNewRequire: Avoid invocations to a module constructor when importing the module |
Medium | Callbacks Always Pass Error Parameter First | OPT.JAVASCRIPT.NODEJS.CallbacksAlwaysPassErrorParameterFirst | CallbacksAlwaysPassErrorParameterFirst: The first callback parameter must be the error |
Medium | Ensure Callbacks Are Returned | OPT.JAVASCRIPT.NODEJS.EnsureCallbacksAreReturned | EnsureCallbacksAreReturned: Use the return statement along with callbacks |
Medium | Use Gzip Compression | OPT.JAVASCRIPT.NODEJS.UseGzipCompression | UseGzipCompression: Use GZIP compression when using express framework |
Medium | Always Use Strict | OPT.JAVASCRIPT.AlwaysUseStrict | AlwaysUseStrict: "use strict" prevents certain bad practices |
Medium | Save A Reference To This | OPT.JAVASCRIPT.SaveAReferenceToThis | SaveAReferenceToThis: The "this" variable is determined based on context, not encapsulation |
Medium | Validate Callbacks | OPT.JAVASCRIPT.ValidateCallbacks | ValidateCallbacks: Only functions are callable |
Medium | Define One Component Per File | OPT.JAVASCRIPT.ANGULARJS.DefineOneComponentPerFile | DefineOneComponentPerFile: Define just one AngularJS component per file |
Medium | Handle Route Errors | OPT.JAVASCRIPT.ANGULARJS.HandleRouteErrors | HandleRouteErrors: Handle all routing errors on a centralised basis |
Medium | Use Angular Wrappers | OPT.JAVASCRIPT.ANGULARJS.UseAngularWrappers | UseAngularWrappers: Use AngularJS wrappers for common objects and functions |
Medium | Avoid Casting I Object Literals | OPT.JAVASCRIPT.TYPESCRIPT.AvoidCastingIObjectLiterals | AvoidCastingIObjectLiterals: Avoid casting object literals |
Medium | No Return Type Any | OPT.JAVASCRIPT.TYPESCRIPT.NoReturnTypeAny | NoReturnTypeAny: Don't use "any" as function return type |
Medium | Review Non Null Assertions | OPT.JAVASCRIPT.TYPESCRIPT.ReviewNonNullAssertions | ReviewNonNullAssertions: Review non null assertions |
Medium | Too Many Classes Per File | OPT.JAVASCRIPT.TYPESCRIPT.TooManyClassesPerFile | TooManyClassesPerFile: Avoid an excessive number of classes per file |
Medium | Use Primitive Types | OPT.JAVASCRIPT.TYPESCRIPT.UsePrimitiveTypes | UsePrimitiveTypes: Don't wrap primitive types |
Medium | Use Type Alias | OPT.JAVASCRIPT.TYPESCRIPT.UseTypeAlias | UseTypeAlias: Use a type alias when type is complex |
Medium | Avoid Aliasing Input Output | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.AvoidAliasingInputOutput | AvoidAliasingInputOutput: Avoid declaring aliases for Input and Output decorators. |
Medium | Invalid Pipe Implementation | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.InvalidPipeImplementation | InvalidPipeImplementation: Implement Angular Pipes completely |
Medium | Naming Conventions | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.NamingConventions | NamingConventions: Follow naming standards for Angular |
Medium | No Parameter Attribute Decorator | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.NoParameterAttributeDecorator | NoParameterAttributeDecorator: Avoid decorating constructor parameters with Attribute |
Medium | Use Life Cycle Interface | OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseLifeCycleInterface | UseLifeCycleInterface: Use the Lifecycle hook interfaces |
Medium | Dangerously Set Inner Html | OPT.JAVASCRIPT.REACT.DangerouslySetInnerHtml | DangerouslySetInnerHtml: Do not use dangerouslySetInnerHTML property in React components. |
Medium | Find Dom Node | OPT.JAVASCRIPT.REACT.FindDomNode | FindDomNode: Do not call ReactDOM.findDOMNode(). |
Medium | Avoid Transfer Values Local Session Storage | OPT.JAVASCRIPT.AvoidTransferValuesLocalSessionStorage | AvoidTransferValuesLocalSessionStorage: Avoid transferring data between localStorage and sessionStorage as it can expose confidential information |
Medium | Easy To Guest Database Name | OPT.JAVASCRIPT.EasyToGuestDatabaseName | EasyToGuestDatabaseName: Do not use easy-to-guess Web SQL database name |
Medium | Hijacking Ad Hoc Ajax | OPT.JAVASCRIPT.HijackingAdHocAjax | HijackingAdHocAjax: Do not use JavaScript to transport sensitive data |
Medium | Information Exposure Through Error Message | OPT.JAVASCRIPT.InformationExposureThroughErrorMessage | InformationExposureThroughErrorMessage: Avoid sensitive information exposure through error messages |
Medium | Privacy Violation | OPT.JAVASCRIPT.PrivacyViolation | PrivacyViolation: Exposure of Private Information ('Privacy Violation') |
Medium | Sensitive Info In Configuration File | OPT.JAVASCRIPT.SensitiveInfoInConfigurationFile | SensitiveInfoInConfigurationFile: Use of sensitive information into configuration file |
Medium | Autocomplete On For Sensitive Fields | OPT.JAVASCRIPT.JSX.AutocompleteOnForSensitiveFields | AutocompleteOnForSensitiveFields: Autocomplete enabled for sensitive form fields |
Medium | Insecure Randomness | OPT.JAVASCRIPT.InsecureRandomness | InsecureRandomness: Standard pseudo-random number generators cannot withstand cryptographic attacks |