Prevent XSS attacks

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: csharp-security/xss-protection

Language: C#

Severity: Error

Category: Security

CWE: 79

Description

No description found

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;

namespace VulnerableApp
{
    public class VulnerableController : Controller
    {
        [HttpGet("/profile")]
        public IActionResult ShowProfile(string username)
        {
            // Non-compliant: Unencoded user input in Content
            return Content("<div>Hello, " + username + "</div>", "text/html");
        }
        
        [HttpGet("/comment")]
        public IActionResult ShowComment(string comment)
        {
            // Non-compliant: Html.Raw with user input
            ViewBag.UserComment = Html.Raw(comment);
            return View();
        }
        
        [HttpGet("/search")]
        public IActionResult Search(string query)
        {
            // Non-compliant: Direct Response.Write with user input
            Response.ContentType = "text/html";
            Response.Write("<h2>Search results for: " + query + "</h2>");
            
            return new EmptyResult();
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;
using System.Text.Encodings.Web;

namespace SecureApp
{
    public class SecureController : Controller
    {
        [HttpGet("/user-profile")]
        public IActionResult ShowUserProfile(string username)
        {
            // Compliant: Using HTML encoding
            return Content("<div>Hello, " + HtmlEncoder.Default.Encode(username) + "</div>", "text/html");
            
            // Also compliant: Using HttpUtility
            // return Content("<div>Hello, " + HttpUtility.HtmlEncode(username) + "</div>", "text/html");
        }
        
        [HttpGet("/welcome")]
        public IActionResult Welcome(string name)
        {
            // Compliant: Static string without user input
            return Content("<h1>Welcome to our site!</h1>", "text/html");
        }
        
        [HttpGet("/product")]
        public IActionResult ShowProduct(int id)
        {
            string productName = GetProductName(id); // From database, not user input
            
            // Compliant: Values from trusted sources
            ViewBag.ProductName = productName;
            return View();
        }
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security