Skip to content

C# False positive: XSS via AttributeCollection #17567

New issue
New issue
Closed
Closed
C# False positive: XSS via AttributeCollection#17567
Assignees
michaelnebel
Labels
false-positive
@rpmrmartin

Description

@rpmrmartin
rpmrmartin
opened on Sep 24, 2024

Description of the false positive

System.Web.UI.AttributeCollection automatically HTML encodes the values passed to it before writing them to HTML, so the developer does not need to do so explicitly. In fact, doing so will cause the value to be double-encoded, potentially causing a bug.

Code samples or links to source code

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebForms.Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
        <asp:Button runat="server" ID="uiButton"/>
    </form>
</body>
</html>

Default.aspx.cs

using System;

namespace WebForms
{
	public partial class Default : System.Web.UI.Page
	{
		protected void Page_Load(object sender, EventArgs e)
		{
			uiButton.Attributes.Add("data-href", Request.Url.ToString());
		}
	}
}

URL to the alert on GitHub code scanning (optional)

Alert is in a private repository

Metadata

Metadata

Assignees

Labels

false-positive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions