csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: razor-use-of-htmlstring
    message: ASP.NET Core MVC provides an HtmlString class which isn't automatically
      encoded upon output. This should never be used in combination with
      untrusted input as this will expose an XSS vulnerability.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe:
        - "CWE-116: Improper Encoding or Escaping of Output"
      owasp:
        - A03:2021 - Injection
      references:
        - https://cwe.mitre.org/data/definitions/116.html
        - https://owasp.org/Top10/A03_2021-Injection/
        - https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-6.0#html-encoding-using-razor
      subcategory:
        - audit
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Encoding
    languages:
      - generic
    paths:
      include:
        - "*.cshtml"
    patterns:
      - pattern-either:
          - pattern: new ...HtmlString(...)
          - pattern: "@(new ...HtmlString(...))"
      - pattern-not-inside: "@(new ...HtmlString(...HtmlEncode(...)))"
      - pattern-not-inside: "@(new ...HtmlString(...Encode(...)))"
      - pattern-not-inside: new ...HtmlString(...HtmlEncode(...))
      - pattern-not-inside: new ...HtmlString(...Encode(...))

Examples

razor-use-of-htmlstring.cshtml

 <!-- this is a test for C# from the community contributor and is left as-is for future forking into C# specific rules -->
 public void RenderDescription(string description)
 {
     // ruleid: razor-use-of-htmlstring
     var newcontent = new Microsoft.AspNetCore.Html.HtmlString(description);
 }


 <div>
	<div>
        <!-- ruleid: razor-use-of-htmlstring -->
		<div>@(new HtmlString(description))</div>
	</div>
</div>

<!-- this is a test for C# from the community contributor and is left as-is for future forking into C# specific rules -->
 public void RenderDescription(string description)
 {
     // ok: razor-use-of-htmlstring
     var newcontent = new Microsoft.AspNetCore.Html.HtmlString(WebUtility.HtmlEncode(description));
 }


 <div>
	<div>
        <!-- ok: razor-use-of-htmlstring -->
		<div>@(new HtmlString(HttpUtility.HtmlEncode(description)))</div>
	</div>
</div>