Prevent XSS attacks

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/xss-protection

Language: C#

Severity: Error

Category: Security

CWE: 79

Description

No description found

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;

namespace VulnerableApp
{
    public class VulnerableController : Controller
    {
        [HttpGet("/profile")]
        public IActionResult ShowProfile(string username)
        {
            // Non-compliant: Unencoded user input in Content
            return Content("<div>Hello, " + username + "</div>", "text/html");
        }
        
        [HttpGet("/comment")]
        public IActionResult ShowComment(string comment)
        {
            // Non-compliant: Html.Raw with user input
            ViewBag.UserComment = Html.Raw(comment);
            return View();
        }
        
        [HttpGet("/search")]
        public IActionResult Search(string query)
        {
            // Non-compliant: Direct Response.Write with user input
            Response.ContentType = "text/html";
            Response.Write("<h2>Search results for: " + query + "</h2>");
            
            return new EmptyResult();
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;
using System.Text.Encodings.Web;

namespace SecureApp
{
    public class SecureController : Controller
    {
        [HttpGet("/user-profile")]
        public IActionResult ShowUserProfile(string username)
        {
            // Compliant: Using HTML encoding
            return Content("<div>Hello, " + HtmlEncoder.Default.Encode(username) + "</div>", "text/html");
            
            // Also compliant: Using HttpUtility
            // return Content("<div>Hello, " + HttpUtility.HtmlEncode(username) + "</div>", "text/html");
        }
        
        [HttpGet("/welcome")]
        public IActionResult Welcome(string name)
        {
            // Compliant: Static string without user input
            return Content("<h1>Welcome to our site!</h1>", "text/html");
        }
        
        [HttpGet("/product")]
        public IActionResult ShowProduct(int id)
        {
            string productName = GetProductName(id); // From database, not user input
            
            // Compliant: Values from trusted sources
            ViewBag.ProductName = productName;
            return View();
        }
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security