C#-CWE-79ΒΆ

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users

Required inputs: CSharpAST

Cross-Site Scripting (CWE-79) occurs when an application includes untrusted user input in a web page without proper validation or escaping. This can allow attackers to inject malicious scripts that execute in the context of another user's browser, potentially stealing cookies, session tokens, or performing other malicious actions. This rule detects the following patterns: 1. **Unsanitized user input in HTML output** Example: `ViewData["Hello"] = "

Hello" + name + "

";` - `name` comes from the user and is directly inserted into HTML. - This is flagged as unsafe. 2. **Properly sanitized user input** Example: `ViewData["Hello"] = "

Hello" + HttpUtility.HtmlEncode(name) + "

";` - The input is HTML-encoded before output. - This is safe and **not flagged** by the rule. 3. **Conditional or loop-assigned variables** - Variables assigned in conditionals or loops are still flagged if they can contain user input that reaches output without sanitization. - Example: ```csharp string title = name; if (string.IsNullOrEmpty(name)) title = "World"; ViewData["Hello"] = "

Hello" + title + "

"; ``` - Even if a default is applied, user input can still reach the output. **Recommendations:** - Always validate and encode user input before including it in HTML output. - Use framework-provided encoding functions (e.g., `HttpUtility.HtmlEncode` for ASP.NET). - Avoid concatenating raw user input directly into HTML, JavaScript, or other output contexts.

Possible Messages

Key

Text

Severity

Disabled

tainted_call

This call is not allowed on unsanitized variables.

None

False

Options