Prevent XSS attacks

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST Rules > Prevent XSS attacks

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: csharp-security/xss-protection

Language: C#

Severity: Error

Category: Security

CWE: 79

Description

No description found

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;

namespace VulnerableApp
{
    public class VulnerableController : Controller
    {
        [HttpGet("/profile")]
        public IActionResult ShowProfile(string username)
        {
            // Non-compliant: Unencoded user input in Content
            return Content("<div>Hello, " + username + "</div>", "text/html");
        }
        
        [HttpGet("/comment")]
        public IActionResult ShowComment(string comment)
        {
            // Non-compliant: Html.Raw with user input
            ViewBag.UserComment = Html.Raw(comment);
            return View();
        }
        
        [HttpGet("/search")]
        public IActionResult Search(string query)
        {
            // Non-compliant: Direct Response.Write with user input
            Response.ContentType = "text/html";
            Response.Write("<h2>Search results for: " + query + "</h2>");
            
            return new EmptyResult();
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using System.Web;
using System.Text.Encodings.Web;

namespace SecureApp
{
    public class SecureController : Controller
    {
        [HttpGet("/user-profile")]
        public IActionResult ShowUserProfile(string username)
        {
            // Compliant: Using HTML encoding
            return Content("<div>Hello, " + HtmlEncoder.Default.Encode(username) + "</div>", "text/html");
            
            // Also compliant: Using HttpUtility
            // return Content("<div>Hello, " + HttpUtility.HtmlEncode(username) + "</div>", "text/html");
        }
        
        [HttpGet("/welcome")]
        public IActionResult Welcome(string name)
        {
            // Compliant: Static string without user input
            return Content("<h1>Welcome to our site!</h1>", "text/html");
        }
        
        [HttpGet("/product")]
        public IActionResult ShowProduct(int id)
        {
            string productName = GetProductName(id); // From database, not user input
            
            // Compliant: Values from trusted sources
            ViewBag.ProductName = productName;
            return View();
        }
    }
}