64f9977e49
You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6399/csharp) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
106 lines
2.5 KiB
Plaintext
106 lines
2.5 KiB
Plaintext
== How to fix it
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,csharp,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
using System.Xml;
|
|
|
|
public class ExampleController : Controller
|
|
{
|
|
public async void Example(string username)
|
|
{
|
|
XmlWriter writer = XmlWriter.Create("data.xml");
|
|
await writer.WriteRawAsync(
|
|
$@"<user>
|
|
<username>{username}</username> <!-- Noncompliant -->
|
|
<role>user</role>
|
|
</user>"
|
|
);
|
|
await writer.DisposeAsync();
|
|
}
|
|
}
|
|
----
|
|
|
|
[source,csharp,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
using System.Xml;
|
|
|
|
public class ExampleController : Controller
|
|
{
|
|
public async void Example(string username)
|
|
{
|
|
XmlDocument doc = new XmlDocument();
|
|
XmlElement user = doc.CreateElement("user");
|
|
doc.AppendChild(user);
|
|
|
|
user.InnerXml = $@"
|
|
<username>{username}</username> <!-- Noncompliant -->
|
|
<role>user</role>";
|
|
doc.Save("data.xml");
|
|
}
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,csharp,diff-id=1,diff-type=compliant]
|
|
----
|
|
using System.Xml;
|
|
using System.Security;
|
|
|
|
public class ExampleController : Controller
|
|
{
|
|
public async void Example(string username)
|
|
{
|
|
XmlWriter writer = XmlWriter.Create("data.xml");
|
|
await writer.WriteRawAsync(
|
|
$@"<user>
|
|
<username>{SecurityElement.Escape(username)}</username>
|
|
<role>user</role>
|
|
</user>"
|
|
);
|
|
await writer.DisposeAsync();
|
|
}
|
|
}
|
|
----
|
|
|
|
[source,csharp,diff-id=2,diff-type=compliant]
|
|
----
|
|
using System.Xml;
|
|
|
|
public class ExampleController : Controller
|
|
{
|
|
public async void Example(string username)
|
|
{
|
|
XmlDocument doc = new XmlDocument();
|
|
XmlElement user = doc.CreateElement("user");
|
|
doc.AppendChild(user);
|
|
|
|
XmlElement username_element = d.CreateElement("username");
|
|
user.AppendChild(username_element);
|
|
username_element.InnerText = username;
|
|
|
|
XmlElement role = d.CreateElement("role");
|
|
user.AppendChild(role);
|
|
role.InnerText = "user";
|
|
doc.Save("data.xml");
|
|
}
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
In most cases, building XML strings with a direct concatenation of user input
|
|
is discouraged. While not always possible, a strong pattern-based validation can
|
|
help sanitize tainted inputs. Likewise, converting to a harmless type can
|
|
sometimes be a solution.
|
|
|
|
include::../../common/fix/object.adoc[]
|
|
|
|
include::../../common/fix/casting.adoc[]
|