63 lines
1.7 KiB
Plaintext
63 lines
1.7 KiB
Plaintext
ASP.Net has a feature to validate HTTP requests to prevent potentially dangerous content to perform a cross-site scripting (XSS) attack. There is no reason to disable this mechanism even if other checks to prevent XXS attacks are in place.
|
|
|
|
|
|
This rule raises an issue if a method with parameters is marked with ``++System.Web.Mvc.HttpPostAttribute++`` and not ``++System.Web.Mvc.ValidateInputAttribute(true)++``.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
public class FooBarController : Controller
|
|
{
|
|
[HttpPost] // Noncompliant
|
|
[ValidateInput(false)]
|
|
public ActionResult Purchase(string input)
|
|
{
|
|
return Foo(input);
|
|
}
|
|
|
|
[HttpPost] // Noncompliant
|
|
public ActionResult PurchaseSomethingElse(string input)
|
|
{
|
|
return Foo(input);
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
public class FooBarController : Controller
|
|
{
|
|
[HttpPost]
|
|
[ValidateInput(true)] // Compliant
|
|
public ActionResult Purchase(string input)
|
|
{
|
|
return Foo(input);
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== Exceptions
|
|
|
|
Parameterless methods marked with ``++System.Web.Mvc.HttpPostAttribute++`` will not trigger this issue.
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* http://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|
|
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
|
|
* https://www.owasp.org/index.php/ASP.NET_Request_Validation[OWASP ASP.NET Request Validation]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|