csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring

Author
unknown
Download Count*
License
ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: razor-use-of-htmlstring
message: ASP.NET Core MVC provides an HtmlString class which isn't automatically
encoded upon output. This should never be used in combination with
untrusted input as this will expose an XSS vulnerability.
severity: WARNING
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- "CWE-116: Improper Encoding or Escaping of Output"
owasp:
- A03:2021 - Injection
references:
- https://cwe.mitre.org/data/definitions/116.html
- https://owasp.org/Top10/A03_2021-Injection/
- https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-6.0#html-encoding-using-razor
subcategory:
- audit
technology:
- .net
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Encoding
languages:
- generic
paths:
include:
- "*.cshtml"
patterns:
- pattern-either:
- pattern: new ...HtmlString(...)
- pattern: "@(new ...HtmlString(...))"
- pattern-not-inside: "@(new ...HtmlString(...HtmlEncode(...)))"
- pattern-not-inside: "@(new ...HtmlString(...Encode(...)))"
- pattern-not-inside: new ...HtmlString(...HtmlEncode(...))
- pattern-not-inside: new ...HtmlString(...Encode(...))
Examples
razor-use-of-htmlstring.cshtml
<!-- this is a test for C# from the community contributor and is left as-is for future forking into C# specific rules -->
public void RenderDescription(string description)
{
// ruleid: razor-use-of-htmlstring
var newcontent = new Microsoft.AspNetCore.Html.HtmlString(description);
}
<div>
<div>
<!-- ruleid: razor-use-of-htmlstring -->
<div>@(new HtmlString(description))</div>
</div>
</div>
<!-- this is a test for C# from the community contributor and is left as-is for future forking into C# specific rules -->
public void RenderDescription(string description)
{
// ok: razor-use-of-htmlstring
var newcontent = new Microsoft.AspNetCore.Html.HtmlString(WebUtility.HtmlEncode(description));
}
<div>
<div>
<!-- ok: razor-use-of-htmlstring -->
<div>@(new HtmlString(HttpUtility.HtmlEncode(description)))</div>
</div>
</div>
Short Link: https://sg.run/E8GN