rspec/rules/S5131/csharp/how-to-fix-it/asp.net.adoc

=== How to fix it in ASP.NET

[cols="a"]
|===
h| Non-compliant code example
|
[source,csharp]
----
using System.Web;
using System.Web.Mvc;

public class HelloController : Controller
{
    [HttpGet]
    public void Hello(string name, HttpResponse response)
    {
        string html = "<h1>Hello"+ name +"</h1>"
        response.Write(html);
    }
}
----
h| Compliant solution
|
[source,csharp]
----
using System.Web;
using System.Web.Mvc;

public class HelloController : Controller
{
    [HttpGet]
    public void Hello(string name, HttpResponse response)

    {
        string html = "<h1>Hello"+ HttpUtility.HtmlEncode(name) +"</h1>"
        response.Write(html);
    }
}
----
|===


=== How does this work?

If the HTTP response is HTML code, it is highly recommended to use https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c[Razor-based view templates] to generate it.
This template engine separates the view from the business logic and automatically encodes the output of variables, drastically reducing the risk of cross-site scripting vulnerabilities.


include::../../common/fix/data_encoding.adoc[]

`System.Web.HttpUtility.HtmlEncode` is the recommended method to encode HTML entities.

=== Pitfalls

include::../../common/pitfalls/validation.adoc[]

=== Going the extra mile

include::../../common/extra-mile/csp.adoc[]
SONARSEC-3109 S5131 XSS rule should contain context-specific patches 2022-07-04 10:29:30 +02:00			`=== How to fix it in ASP.NET`

SONARSEC-3113 Update code example layouts of S5131 (XSS) rule description 2022-07-04 14:52:28 +02:00			`[cols="a"]`
SONARSEC-3109 S5131 XSS rule should contain context-specific patches 2022-07-04 10:29:30 +02:00			`\|===`
SONARSEC-3113 Update code example layouts of S5131 (XSS) rule description 2022-07-04 14:52:28 +02:00			`h\| Non-compliant code example`
SONARSEC-3109 S5131 XSS rule should contain context-specific patches 2022-07-04 10:29:30 +02:00			`\|`
			`[source,csharp]`
			`----`
			`using System.Web;`
			`using System.Web.Mvc;`

			`public class HelloController : Controller`
			`{`
			`[HttpGet]`
			`public void Hello(string name, HttpResponse response)`
			`{`
			`string html = "<h1>Hello"+ name +"</h1>"`
			`response.Write(html);`
			`}`
			`}`
			`----`
SONARSEC-3113 Update code example layouts of S5131 (XSS) rule description 2022-07-04 14:52:28 +02:00			`h\| Compliant solution`
SONARSEC-3109 S5131 XSS rule should contain context-specific patches 2022-07-04 10:29:30 +02:00			`\|`
			`[source,csharp]`
			`----`
			`using System.Web;`
			`using System.Web.Mvc;`

			`public class HelloController : Controller`
			`{`
			`[HttpGet]`
			`public void Hello(string name, HttpResponse response)`

			`{`
			`string html = "<h1>Hello"+ HttpUtility.HtmlEncode(name) +"</h1>"`
			`response.Write(html);`
			`}`
			`}`
			`----`
			`\|===`


			`=== How does this work?`

			`If the HTTP response is HTML code, it is highly recommended to use https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c[Razor-based view templates] to generate it.`
			`This template engine separates the view from the business logic and automatically encodes the output of variables, drastically reducing the risk of cross-site scripting vulnerabilities.`


			`include::../../common/fix/data_encoding.adoc[]`

			`System.Web.HttpUtility.HtmlEncode` is the recommended method to encode HTML entities.

			`=== Pitfalls`

			`include::../../common/pitfalls/validation.adoc[]`
Modify S5131(Multiple Languages): Add CSPs to 'Going The Extra Mile' (#1239) 2022-09-13 16:28:34 +02:00
			`=== Going the extra mile`

			`include::../../common/extra-mile/csp.adoc[]`