Skip to content

Add fixture coverage for the second Razor XSS rule #16

Description

@malik111110

Outcome

Both Razor XSS rules have independently identifiable vulnerable and safe examples.

Maintainer guidance

internal/sast/frameworks/razor/pack_test.go currently exercises Html.Raw and normal escaped output. Identify PF-RAZOR-XSS-002 from rules.go and add cases that cannot pass only because PF-RAZOR-XSS-001 fired.

Acceptance criteria

  • Add a minimal vulnerable .cshtml snippet targeting PF-RAZOR-XSS-002.
  • Assert the exact rule ID rather than only the finding count.
  • Add the corresponding framework-safe output pattern.
  • Assert neither the target rule nor an unexpected Razor rule fires for the safe snippet.
  • go test ./internal/sast/frameworks/razor -count=1 passes.
  • gofmt produces no diff.

Scope

Only internal/sast/frameworks/razor/pack_test.go should normally change. Refs #7.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions