diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectHardCodedCredentialsInAura.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectHardCodedCredentialsInAura.java
new file mode 100644
index 00000000..a9af2e7b
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectHardCodedCredentialsInAura.java
@@ -0,0 +1,61 @@
+package com.salesforce.security.pmd.html;
+
+import java.util.List;
+
+import net.sourceforge.pmd.lang.html.ast.ASTHtmlElement;
+import net.sourceforge.pmd.lang.html.rule.AbstractHtmlRule;
+import net.sourceforge.pmd.lang.rule.xpath.Attribute;
+
+import com.salesforce.security.pmd.utils.SecretsInPackageUtils;
+
+public class DetectHardCodedCredentialsInAura extends AbstractHtmlRule  {
+    private static final String AURA_C_COMPONENT = "C:";
+    private static final String AURA_HARDCODED_SECRET_VIOLATION =
+            "Detected a potential hard coded secret in aura:attribute \"%s\"";
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public Object visit(ASTHtmlElement node, Object data) {
+        detectHardCodedSecrets(node,data);
+        return super.visit(node, data);
+    }
+
+    private void detectHardCodedSecrets(ASTHtmlElement htmlElement, Object data) {
+        String name=htmlElement.getNodeName();
+        if (name.equalsIgnoreCase("aura:attribute")) {
+            detectSecretsInAuraAttrs(htmlElement, data);
+        } else if (name.toUpperCase().startsWith(AURA_C_COMPONENT)) {
+            detectSecretsInAuraComponent(htmlElement, data);
+        }
+
+    }
+
+    private void detectSecretsInAuraComponent(ASTHtmlElement component, Object data) {
+        List<Attribute> allAttrs=component.getAttributes();
+        for (Attribute eachAttr: allAttrs) {
+            String attrName = eachAttr.getName();
+            if (SecretsInPackageUtils.isAPotentialSecret(attrName)) {
+                this.asCtx(data).addViolationWithMessage(component,
+                        String.format(AURA_HARDCODED_SECRET_VIOLATION, attrName));
+            }
+        }
+
+    }
+
+    private void detectSecretsInAuraAttrs(ASTHtmlElement nextAttr, Object data) {
+        String attrName = nextAttr.getAttribute("name");
+        String type = nextAttr.getAttribute("type");
+        if (type!=null && //handles null pointer exception when type is not specified
+                (type.compareToIgnoreCase("string")!=0 && type.compareToIgnoreCase("list")!=0)) {
+            return;
+        }
+        String defaultValue = nextAttr.getAttribute("default");
+        if (defaultValue==null || defaultValue.isEmpty()){
+            return;
+        }
+        if (SecretsInPackageUtils.isAPotentialSecret(attrName)) {
+            this.asCtx(data).addViolationWithMessage(nextAttr,
+                    String.format(AURA_HARDCODED_SECRET_VIOLATION, attrName));
+        }
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectUnescapedHtmlInAura.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectUnescapedHtmlInAura.java
new file mode 100644
index 00000000..d159593b
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectUnescapedHtmlInAura.java
@@ -0,0 +1,15 @@
+package com.salesforce.security.pmd.html;
+
+import net.sourceforge.pmd.lang.html.ast.ASTHtmlElement;
+import net.sourceforge.pmd.lang.html.rule.AbstractHtmlRule;
+
+public class DetectUnescapedHtmlInAura extends AbstractHtmlRule {
+    @Override
+    @SuppressWarnings("unchecked")
+    public Object visit(ASTHtmlElement node, Object data) {
+        if (node.getNodeName().equalsIgnoreCase("aura:unescapedHtml")) {
+            this.asCtx(data).addViolation(node); // Message is defined in sfca/rulesets/AppExchange_html.xml file
+        }
+        return super.visit(node, data);
+    }
+}
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/utils/SecretsInPackageUtils.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/utils/SecretsInPackageUtils.java
new file mode 100644
index 00000000..6532b9e5
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/utils/SecretsInPackageUtils.java
@@ -0,0 +1,104 @@
+package com.salesforce.security.pmd.utils;
+
+import java.util.List;
+
+public class SecretsInPackageUtils {
+    private static final List<String> PRIVACY_FIELD_MAPPINGS_LIST = List.of(
+            "SSN",
+            "SOCIALSECURITY",
+            "SOCIAL_SECURITY",
+            "NATIONALID",
+            "NATIONAL_ID",
+            "NATIONAL_IDENTIFIER",
+            "NATIONALIDENTIFIER",
+            "DRIVERSLICENSE",
+            "DRIVERS_LICENSE",
+            "DRIVER_LICENSE",
+            "DRIVERLICENSE",
+            "PASSPORT",
+            "AADHAAR",
+            "AADHAR" //More?
+    );
+
+    private static final List<String> AUTH_FIELD_MAPPINGS_LIST = List.of(
+            "KEY", // potentially high false +ve rate
+            "ACCESS",
+            "PASS",
+            "ENCRYPT",
+            "TOKEN",
+            "HASH",
+            "SECRET",
+            "SIGNATURE",
+            "SIGN",
+            "AUTH", //AUTHORIZATION,AUTHENTICATION,AUTHENTICATE,OAUTH
+            "AUTHORIZATION",
+            "AUTHENTICATION",
+            "AUTHENTICATE",
+            "BEARER",
+            "CRED", //cred, credential(s),
+            "REFRESH", //
+            "CERT",
+            "PRIVATE",
+            "PUBLIC",
+            "JWT"
+    );
+
+    private static final List<String> POTENTIAL_SECERT_VARS_LIST = List.of(
+            "APIKEY",
+            "API_KEY",
+            "API-KEY",
+            "PASSWORD",
+            "PASSWD",
+            "ENCRYPT",
+            "TOKEN",
+            "HASH",
+            "SECRET",
+            "SIGNATURE",
+            "AUTHN",
+            "AUTHZ",
+            "OAUTH",
+            "AUTHORIZATION",
+            "AUTHENTICATION",
+            "AUTHENTICATE",
+            "BEARER",
+            "CREDS", //cred - has too many false +ve hits, credential(s),
+            "CREDENTIAL",
+            "REFRESHTOKEN",
+            "REFRESH_TOKEN",
+            "CERT",
+            "PRIVATE",
+            "SYMMETRICKEY",
+            "SYMMETRIC_KEY",
+            "ASYMMETRIC_KEY",
+            "ASYMMETRICKEY",
+            "JWT",
+            "SALT",
+            "COOKIE",
+            "SESSIONID",
+            "SESSION_ID",
+            "CREDITCARD",
+            "CREDIT_CARD"
+    );
+
+    private static boolean isAPartialMatchInList(String inputStr, List<String> listOfStrings) {
+        String inputStrUpper = inputStr.toUpperCase();
+        for (String eachStr : listOfStrings) {
+            if (inputStrUpper.contains(eachStr)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public static boolean isAnAuthTokenField(String fieldName) {
+        return isAPartialMatchInList(fieldName.toUpperCase(), AUTH_FIELD_MAPPINGS_LIST);
+    }
+
+    public static boolean isAnInsecurePrivacyField(String fieldName) {
+        return isAPartialMatchInList(fieldName.toUpperCase(), PRIVACY_FIELD_MAPPINGS_LIST);
+    }
+
+    public static boolean isAPotentialSecret(String attrName) {
+        return isAPartialMatchInList(attrName, POTENTIAL_SECERT_VARS_LIST );
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/xml/DetectSecretsInCustomObjects.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/xml/DetectSecretsInCustomObjects.java
index a6f277ce..440abc17 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/xml/DetectSecretsInCustomObjects.java
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/java/com/salesforce/security/pmd/xml/DetectSecretsInCustomObjects.java
@@ -3,7 +3,6 @@
 import net.sourceforge.pmd.lang.xml.ast.internal.XmlParserImpl.RootXmlNode;
 import java.io.File;
 import java.io.IOException;
-import java.util.List;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -20,48 +19,10 @@
 import net.sourceforge.pmd.lang.rule.AbstractRule;
 import org.xml.sax.SAXException;
 
+import com.salesforce.security.pmd.utils.SecretsInPackageUtils;
+
 public class DetectSecretsInCustomObjects extends AbstractRule {
-    private static final List<String> PRIVACY_FIELD_MAPPINGS_LIST = List.of(
-            "SSN",
-            "SOCIALSECURITY",
-            "SOCIAL_SECURITY",
-            "NATIONALID",
-            "NATIONAL_ID",
-            "NATIONAL_IDENTIFIER",
-            "NATIONALIDENTIFIER",
-            "DRIVERSLICENSE",
-            "DRIVERS_LICENSE",
-            "DRIVER_LICENSE",
-            "DRIVERLICENSE",
-            "PASSPORT",
-            "AADHAAR",
-            "AADHAR" //More?
-    );
-
-    private static final List<String> AUTH_FIELD_MAPPINGS_LIST = List.of(
-            "KEY", // potentially high false +ve rate
-            "ACCESS",
-            "PASS",
-            "ENCRYPT",
-            "TOKEN",
-            "HASH",
-            "SECRET",
-            "SIGNATURE",
-            "SIGN",
-            "AUTH", //AUTHORIZATION,AUTHENTICATION,AUTHENTICATE,OAUTH
-            "AUTHORIZATION",
-            "AUTHENTICATION",
-            "AUTHENTICATE",
-            "BEARER",
-            "CRED", //cred, credential(s),
-            "REFRESH", //
-            "CERT",
-            "PRIVATE",
-            "PUBLIC",
-            "JWT"
-    );
-
-    public static final String VISIBILITY_XPATH_EXPR = "/CustomObject/visibility[text()=\"Public\"]";
+     public static final String VISIBILITY_XPATH_EXPR = "/CustomObject/visibility[text()=\"Public\"]";
     public static final String PRIVACY_FIELD_XPATH_EXPR = "/CustomField/type[text()!=\"EncryptedText\"]";
     private static final String CUSTOM_SETTINGS_XPATH_EXPR = "/CustomObject/customSettingsType";
 
@@ -73,10 +34,10 @@ public void apply(Node target, RuleContext ctx) {
             return;
         }
         String fieldName = fieldNameFromFileName(fieldFileName);
-        if (isAnAuthTokenField(fieldName)) {
+        if (SecretsInPackageUtils.isAnAuthTokenField(fieldName)) {
             doObjectVisibilityCheck(ctx, target, fieldFileName);
         }
-        if (isAnInsecurePrivacyField(fieldName)) {
+        if (SecretsInPackageUtils.isAnInsecurePrivacyField(fieldName)) {
             checkFieldType(ctx, target, fieldName);
         }
     }
@@ -157,25 +118,6 @@ private String getObjectFileName(String fieldFileName) {
         }
     }
 
-    public boolean isAnAuthTokenField(String fieldName) {
-        return isAPartialMatchInList(fieldName.toUpperCase(), AUTH_FIELD_MAPPINGS_LIST);
-    }
-
-    public boolean isAnInsecurePrivacyField(String fieldName) {
-        return isAPartialMatchInList(fieldName.toUpperCase(), PRIVACY_FIELD_MAPPINGS_LIST);
-    }
-
-
-    private static boolean isAPartialMatchInList(String inputStr, List<String> listOfStrings) {
-        String inputStrUpper = inputStr.toUpperCase();
-        for (String eachStr : listOfStrings) {
-            if (inputStrUpper.contains(eachStr)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
     private static Document parseDocument(String xmlFile) throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         factory.setExpandEntityReferences(false);
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_html.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_html.xml
new file mode 100644
index 00000000..4794f853
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_html.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ruleset name="AppExchange_html"
+         xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
+    <description>AppExchange Security Rules for HTML Language</description>
+
+
+    <rule name="AvoidHardCodedCredentialsInAura"
+          language="html"
+          class="com.salesforce.security.pmd.html.DetectHardCodedCredentialsInAura"
+          message="Detected use of hard coded credentials in Aura component"
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidhardcodedcredentialsinaura">
+        <description>Detects use of hard coded credentials in Aura components.</description>
+        <priority>2</priority>
+    </rule>
+
+
+    <rule name="AvoidUnescapedHtmlInAura"
+          language="html"
+          class="com.salesforce.security.pmd.html.DetectUnescapedHtmlInAura"
+          message="Detected use of aura:unescapedHtml"
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidunescapedhtmlinaura">
+        <description>Detects use of aura:unescapedHtml,which should be used cautiously. Developers should ensure that the unescapedHtml should not use tainted input to protect against XSS.</description>
+        <priority>2</priority>
+    </rule>
+
+
+    <rule name="DetectUseLwcDomManual"
+          language="html"
+          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+          message="Protect against XSS when using lwc:dom=&quot;manual&quot;."
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#detectuselwcdommanual">
+        <description>Detects instances of lwc:dom=&quot;manual&quot; that could allow unintentional or malicious user input. Don't allow user input on these elements.</description>
+        <priority>3</priority>
+        <properties>
+            <property name="xpath">
+                <value><![CDATA[
+//*[@*[local-name()="lwc:dom" and .="manual"]]
+                ]]></value>
+            </property>
+        </properties>
+    </rule>
+
+</ruleset>
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml
index dbc1a0fa..f63995f4 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<ruleset name="AppExchange"
+<ruleset name="AppExchange_xml"
          xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
-    <description>AppExchange Security Rules</description>
+    <description>AppExchange Security Rules for XML Language</description>
 
 
     <rule name="AvoidApiSessionId"
@@ -44,11 +44,11 @@
     </rule>
 
 
-    <rule name="AvoidDisableProtocolSecurity"
+    <rule name="AvoidDisableProtocolSecurityRemoteSiteSetting"
           language="xml"
           class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
           message="Protocol security setting is disabled."
-          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoiddisableprotocolsecurity">
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoiddisableprotocolsecurityremotesitesetting">
         <description>Detects if &quot;Disable Protocol Security&quot; setting is true.</description>
         <priority>3</priority>
         <properties>
@@ -118,6 +118,40 @@
     </rule>
 
 
+    <rule name="AvoidJavaScriptInUrls"
+          language="xml"
+          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+          message="Avoid clickable JavaScript-style URLs."
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidjavascriptinurls">
+        <description>Detects use of JavaScript-style URLs (javascript:) in components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.</description>
+        <priority>1</priority>
+        <properties>
+            <property name="xpath">
+                <value><![CDATA[
+/document//url/text[contains(upper-case(@Text),"JAVASCRIPT:")]/..
+                ]]></value>
+            </property>
+        </properties>
+    </rule>
+
+
+    <rule name="AvoidJavaScriptWebLink"
+          language="xml"
+          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+          message="Avoid using JavaScript in web links."
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidjavascriptweblink">
+        <description>Detects use of custom JavaScript actions in web links.</description>
+        <priority>2</priority>
+        <properties>
+            <property name="xpath">
+                <value><![CDATA[
+/document/CustomPageWebLink/openType/text[@Text="onClickJavaScript"]/..
+                ]]></value>
+            </property>
+        </properties>
+    </rule>
+
+
     <rule name="AvoidLmcIsExposedTrue"
           language="xml"
           class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
@@ -179,11 +213,11 @@
     </rule>
 
 
-    <rule name="UseHttpsCallbackUrl"
+    <rule name="UseHttpsCallbackUrlConnectedApp"
           language="xml"
           class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
           message="Update to secure Oauth callback URL over HTTPS."
-          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#usehttpscallbackurl">
+          externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#usehttpscallbackurlconnectedapp">
         <description>Detects instances of an OAuth callback URL that uses HTTP. Use HTTPS instead.</description>
         <priority>3</priority>
         <properties>
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/AvoidHardCodedCredentialsInAuraTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/AvoidHardCodedCredentialsInAuraTest.java
new file mode 100644
index 00000000..83f5cd5d
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/AvoidHardCodedCredentialsInAuraTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_html;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidHardCodedCredentialsInAuraTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_html" is the package name of this test file. Thus, the associated
+        // test data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_html/xml/AvoidHardCodedCredentialsInAura.xml"
+        addRule("sfca/rulesets/AppExchange_html.xml", "AvoidHardCodedCredentialsInAura");
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/AvoidUnescapedHtmlInAuraTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/AvoidUnescapedHtmlInAuraTest.java
new file mode 100644
index 00000000..b918fb1f
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/AvoidUnescapedHtmlInAuraTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_html;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidUnescapedHtmlInAuraTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_html" is the package name of this test file. Thus, the associated
+        // test data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_html/xml/AvoidUnescapedHtmlInAura.xml"
+        addRule("sfca/rulesets/AppExchange_html.xml", "AvoidUnescapedHtmlInAura");
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/DetectUseLwcDomManualTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/DetectUseLwcDomManualTest.java
new file mode 100644
index 00000000..f9cd53cd
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_html/DetectUseLwcDomManualTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_html;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class DetectUseLwcDomManualTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_html" is the package name of this test file. Thus, the associated
+        // test data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_html/xml/DetectUseLwcDomManual.xml"
+        addRule("sfca/rulesets/AppExchange_html.xml", "DetectUseLwcDomManual");
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityRemoteSiteSettingTest.java
similarity index 79%
rename from packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java
rename to packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityRemoteSiteSettingTest.java
index c40e44be..98a3414f 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityRemoteSiteSettingTest.java
@@ -2,7 +2,7 @@
 
 import net.sourceforge.pmd.test.SimpleAggregatorTst;
 
-public class AvoidDisableProtocolSecurityTest extends SimpleAggregatorTst {
+public class AvoidDisableProtocolSecurityRemoteSiteSettingTest extends SimpleAggregatorTst {
     @Override
     protected void setUp() {
         // The test data xml file for this rule's test will always be in the resources directory using a naming
@@ -10,7 +10,7 @@ protected void setUp() {
         //     "resources/<TestPackageName>/xml/<RuleName>.xml".
         // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
         // data xml file for this rule must be found at:
-        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml"
-        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidDisableProtocolSecurity");
+        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurityRemoteSiteSetting.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidDisableProtocolSecurityRemoteSiteSetting");
     }
 }
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidJavaScriptInUrlsTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidJavaScriptInUrlsTest.java
new file mode 100644
index 00000000..bf3fbca9
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidJavaScriptInUrlsTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidJavaScriptInUrlsTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+        // data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptInUrls.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidJavaScriptInUrls");
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidJavaScriptWebLinkTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidJavaScriptWebLinkTest.java
new file mode 100644
index 00000000..66deac93
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidJavaScriptWebLinkTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidJavaScriptWebLinkTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+        // data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptWebLink.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidJavaScriptWebLink");
+    }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/UseHttpsCallbackUrlTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/UseHttpsCallbackUrlConnectedAppTest.java
similarity index 83%
rename from packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/UseHttpsCallbackUrlTest.java
rename to packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/UseHttpsCallbackUrlConnectedAppTest.java
index b212073a..8a67a595 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/UseHttpsCallbackUrlTest.java
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/UseHttpsCallbackUrlConnectedAppTest.java
@@ -2,7 +2,7 @@
 
 import net.sourceforge.pmd.test.SimpleAggregatorTst;
 
-public class UseHttpsCallbackUrlTest extends SimpleAggregatorTst {
+public class UseHttpsCallbackUrlConnectedAppTest extends SimpleAggregatorTst {
     @Override
     protected void setUp() {
         // The test data xml file for this rule's test will always be in the resources directory using a naming
@@ -10,7 +10,7 @@ protected void setUp() {
         //     "resources/<TestPackageName>/xml/<RuleName>.xml".
         // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
         // data xml file for this rule must be found at:
-        //      "resource/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrl.xml"
-        addRule("sfca/rulesets/AppExchange_xml.xml", "UseHttpsCallbackUrl");
+        //      "resource/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrlConnectedApp.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "UseHttpsCallbackUrlConnectedApp");
     }
 }
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/AvoidHardCodedCredentialsInAura.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/AvoidHardCodedCredentialsInAura.xml
new file mode 100644
index 00000000..acbdf195
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/AvoidHardCodedCredentialsInAura.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When hard coded credentials are found in direct attributess of Aura component, then report violation</description>
+        <expected-problems>3</expected-problems>
+        <expected-linenumbers>2,2,2</expected-linenumbers>
+        <code><![CDATA[
+<aura:component>
+    <c:someComponent password="testpassword" apikey="123xyzabcd" authtoken="helloworld"/>
+</aura:component>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When there are no hard coded credentials are found in direct attributes of Aura component, then do not report violation</description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<aura:component>
+    <c:someComponent color="red"/>
+</aura:component>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When hard coded credentials are found in attributes of Aura component, then report violation</description>
+        <expected-problems>3</expected-problems>
+        <expected-linenumbers>2,3,4</expected-linenumbers>
+        <code><![CDATA[
+<aura:component>
+    <aura:attribute name="password" type="string" default="123456890"/>
+    <aura:attribute name="apikey" type="string" default="123456890"/>
+    <aura:attribute name="authtoken" type="string" default="123456890"/>
+</aura:component>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When there are no hard coded credentials are found in attributes of Aura component, then do not report violation</description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<aura:component>
+    <aura:attribute name="color" type="string" default="red"/>
+    <aura:attribute name="authkey" type="string"/>
+</aura:component>
+        ]]></code>
+    </test-code>
+
+</test-data>
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/AvoidUnescapedHtmlInAura.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/AvoidUnescapedHtmlInAura.xml
new file mode 100644
index 00000000..00fc471b
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/AvoidUnescapedHtmlInAura.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When unescapedHtml is used, then report violation</description>
+        <expected-problems>2</expected-problems>
+        <expected-linenumbers>5,6</expected-linenumbers>
+        <code><![CDATA[
+<aura:component>
+    <aura:attribute name="searchResult" type="List" access="private"/>
+    <aura:attribute name="someString" type="List" access="private" default="abcd"/>
+    <aura:iteration items="{!v.searchResult}" var="record">
+        <aura:unescapedHtml value="{!record.Field0}"/>
+        <aura:unescapedHtml value="{!someString}"/>
+    </aura:iteration>
+</aura:component>
+        ]]></code>
+    </test-code>
+
+</test-data>
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/DetectUseLwcDomManual.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/DetectUseLwcDomManual.xml
new file mode 100644
index 00000000..9e833526
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_html/xml/DetectUseLwcDomManual.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <!-- TOOD: STILL NEED TESTS FOR THIS RULE -->
+
+</test-data>
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurityRemoteSiteSetting.xml
similarity index 100%
rename from packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml
rename to packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurityRemoteSiteSetting.xml
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptInUrls.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptInUrls.xml
new file mode 100644
index 00000000..b514c341
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptInUrls.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When javascript in CustomPageWebLink url, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>3</expected-linenumbers>
+        <code><![CDATA[
+<CustomPageWebLink xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <url>javascript:doSomething();</url>
+</CustomPageWebLink>
+        ]]></code>
+    </test-code>
+
+
+    <test-code>
+        <description>When javascript in WebLink url, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>3</expected-linenumbers>
+        <code><![CDATA[
+<WebLink xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <url>javascript:helloWorld();</url>
+</WebLink>
+        ]]></code>
+    </test-code>
+
+
+    <test-code>
+        <description>When using normal url in CustomPageWebLink, then do not report violation</description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<CustomPageWebLink xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <url>/apex/test</url>
+</CustomPageWebLink>
+        ]]></code>
+    </test-code>
+
+</test-data>
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptWebLink.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptWebLink.xml
new file mode 100644
index 00000000..ce123a88
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidJavaScriptWebLink.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When openType is "onClickJavaScript" in WebLink, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>3</expected-linenumbers>
+        <code><![CDATA[
+<CustomPageWebLink xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <openType>onClickJavaScript</openType>
+</CustomPageWebLink>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When openType is not "onClickJavaScript" in WebLink, then do not report violation</description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<CustomPageWebLink xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <openType>sidebar</openType>
+</CustomPageWebLink>
+        ]]></code>
+    </test-code>
+
+</test-data>
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrl.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrlConnectedApp.xml
similarity index 84%
rename from packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrl.xml
rename to packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrlConnectedApp.xml
index 7657427e..a7c1ae5d 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrl.xml
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/UseHttpsCallbackUrlConnectedApp.xml
@@ -5,7 +5,7 @@
         xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
 
     <test-code>
-        <description>If Connected App has unsafe callback, then report violation</description>
+        <description>When Connected App has unsafe callback, then report violation</description>
         <expected-problems>1</expected-problems>
         <expected-linenumbers>6</expected-linenumbers>
         <code><![CDATA[
@@ -21,7 +21,7 @@
     </test-code>
 
     <test-code>
-        <description>If Connected App has even just one unsafe callback url, then report violation</description>
+        <description>When Connected App has even just one unsafe callback url, then report violation</description>
         <expected-problems>1</expected-problems>
         <expected-linenumbers>6</expected-linenumbers>
         <code><![CDATA[
@@ -41,7 +41,7 @@
     </test-code>
 
     <test-code>
-        <description>Connected App with unsafe callback url False positive</description>
+        <description>When Connected App has safe callback url, then do not report violation</description>
         <expected-problems>0</expected-problems>
         <code><![CDATA[
 <?xml version="1.0" encoding="UTF-8"?>
diff --git a/packages/code-analyzer-pmd-engine/src/constants.ts b/packages/code-analyzer-pmd-engine/src/constants.ts
index c10e0f5e..673fd9e4 100644
--- a/packages/code-analyzer-pmd-engine/src/constants.ts
+++ b/packages/code-analyzer-pmd-engine/src/constants.ts
@@ -34,7 +34,9 @@ export const DEFAULT_FILE_EXTENSIONS: Record<Language, string[]> = {
 
     [Language.HTML]: [
         // From PMD's HtmlLanguageModule:
-        '.html', '.htm', '.xhtml', '.xht', '.shtml'
+        '.html', '.htm', '.xhtml', '.xht', '.shtml',
+        // For the AppExchange rules - to support rules for aura components
+        '.cmp'
     ],
 
     [Language.JAVASCRIPT]: [
@@ -65,6 +67,7 @@ export const DEFAULT_FILE_EXTENSIONS: Record<Language, string[]> = {
 // the user needing to add it to their custom_rulesets configuration list. See "pmd-rules/src/main/resources" to see
 // which rulesets we have bundled inside our sfca-pmd-rules jar file.
 export const SFCA_RULESETS_TO_MAKE_AVAILABLE: string[] = [
+    "sfca/rulesets/AppExchange_html.xml",
     "sfca/rulesets/AppExchange_xml.xml"
 ];
 
diff --git a/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts b/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts
index ebc30dc2..2fbd34f8 100644
--- a/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts
+++ b/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts
@@ -395,6 +395,25 @@ export const RULE_MAPPINGS: Record<string, {severity: SeverityLevel, tags: strin
     },
 
 
+    // =================================================================================================================
+    //   SFCA-PMD-RULES - APPEXCHANGE HTML RULES
+    // =================================================================================================================
+    "AvoidHardCodedCredentialsInAura": {
+        severity: SeverityLevel.High,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.HTML]
+    },
+
+    "AvoidUnescapedHtmlInAura": {
+        severity: SeverityLevel.High,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.HTML]
+    },
+
+    "DetectUseLwcDomManual": {
+        severity: SeverityLevel.Moderate,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.HTML]
+    },
+
+
     // =================================================================================================================
     //   SFCA-PMD-RULES - APPEXCHANGE XML RULES
     // =================================================================================================================
@@ -408,7 +427,7 @@ export const RULE_MAPPINGS: Record<string, {severity: SeverityLevel, tags: strin
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
     },
 
-    "AvoidDisableProtocolSecurity": {
+    "AvoidDisableProtocolSecurityRemoteSiteSetting": {
         severity: SeverityLevel.Moderate,
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
     },
@@ -423,6 +442,16 @@ export const RULE_MAPPINGS: Record<string, {severity: SeverityLevel, tags: strin
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
     },
 
+    "AvoidJavaScriptInUrls": {
+        severity: SeverityLevel.Critical,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
+    },
+
+    "AvoidJavaScriptWebLink": {
+        severity: SeverityLevel.High,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
+    },
+
     "AvoidJavaScriptHomePageComponent": {
         severity: SeverityLevel.High,
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
@@ -448,7 +477,7 @@ export const RULE_MAPPINGS: Record<string, {severity: SeverityLevel, tags: strin
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
     },
 
-    "UseHttpsCallbackUrl": {
+    "UseHttpsCallbackUrlConnectedApp": {
         severity: SeverityLevel.Moderate,
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
     }
diff --git a/packages/code-analyzer-pmd-engine/test/test-data/pmdGoldfiles/rules_allLanguages.goldfile.json b/packages/code-analyzer-pmd-engine/test/test-data/pmdGoldfiles/rules_allLanguages.goldfile.json
index be33949d..43fdd19e 100644
--- a/packages/code-analyzer-pmd-engine/test/test-data/pmdGoldfiles/rules_allLanguages.goldfile.json
+++ b/packages/code-analyzer-pmd-engine/test/test-data/pmdGoldfiles/rules_allLanguages.goldfile.json
@@ -309,7 +309,7 @@
     ]
   },
   {
-    "name": "AvoidDisableProtocolSecurity",
+    "name": "AvoidDisableProtocolSecurityRemoteSiteSetting",
     "severityLevel": 3,
     "tags": [
       "AppExchange",
@@ -318,7 +318,7 @@
     ],
     "description": "Detects if \"Disable Protocol Security\" setting is true.",
     "resourceUrls": [
-      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoiddisableprotocolsecurity"
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoiddisableprotocolsecurityremotesitesetting"
     ]
   },
   {
@@ -334,6 +334,19 @@
       "https://docs.pmd-code.org/pmd-doc-{{PMD_VERSION}}/pmd_rules_apex_bestpractices.html#avoidglobalmodifier"
     ]
   },
+  {
+    "name": "AvoidHardCodedCredentialsInAura",
+    "severityLevel": 2,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Html"
+    ],
+    "description": "Detects use of hard coded credentials in Aura components.",
+    "resourceUrls": [
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidhardcodedcredentialsinaura"
+    ]
+  },
   {
     "name": "AvoidHardcodingId",
     "severityLevel": 3,
@@ -398,6 +411,32 @@
       "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidjavascripthomepagecomponent"
     ]
   },
+  {
+    "name": "AvoidJavaScriptInUrls",
+    "severityLevel": 1,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Xml"
+    ],
+    "description": "Detects use of JavaScript-style URLs (javascript:) in components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.",
+    "resourceUrls": [
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidjavascriptinurls"
+    ]
+  },
+  {
+    "name": "AvoidJavaScriptWebLink",
+    "severityLevel": 2,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Xml"
+    ],
+    "description": "Detects use of custom JavaScript actions in web links.",
+    "resourceUrls": [
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidjavascriptweblink"
+    ]
+  },
   {
     "name": "AvoidLmcIsExposedTrue",
     "severityLevel": 2,
@@ -475,6 +514,19 @@
       "https://docs.pmd-code.org/pmd-doc-{{PMD_VERSION}}/pmd_rules_ecmascript_errorprone.html#avoidtrailingcomma"
     ]
   },
+  {
+    "name": "AvoidUnescapedHtmlInAura",
+    "severityLevel": 2,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Html"
+    ],
+    "description": "Detects use of aura:unescapedHtml,which should be used cautiously. Developers should ensure that the unescapedHtml should not use tainted input to protect against XSS.",
+    "resourceUrls": [
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidunescapedhtmlinaura"
+    ]
+  },
   {
     "name": "AvoidWithStatement",
     "severityLevel": 2,
@@ -551,6 +603,19 @@
       "https://docs.pmd-code.org/pmd-doc-{{PMD_VERSION}}/pmd_rules_apex_bestpractices.html#debugsshoulduselogginglevel"
     ]
   },
+  {
+    "name": "DetectUseLwcDomManual",
+    "severityLevel": 3,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Html"
+    ],
+    "description": "Detects instances of lwc:dom=\"manual\" that could allow unintentional or malicious user input. Don't allow user input on these elements.",
+    "resourceUrls": [
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#detectuselwcdommanual"
+    ]
+  },
   {
     "name": "EagerlyLoadedDescribeSObjectResult",
     "severityLevel": 2,
@@ -1197,7 +1262,7 @@
     ]
   },
   {
-    "name": "UseHttpsCallbackUrl",
+    "name": "UseHttpsCallbackUrlConnectedApp",
     "severityLevel": 3,
     "tags": [
       "AppExchange",
@@ -1206,7 +1271,7 @@
     ],
     "description": "Detects instances of an OAuth callback URL that uses HTTP. Use HTTPS instead.",
     "resourceUrls": [
-      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#usehttpscallbackurl"
+      "https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#usehttpscallbackurlconnectedapp"
     ]
   },
   {