Last post Jul 08, 2014 07:58 AM by AidyF
Jul 07, 2014 08:20 AM|vinodkumar.ravinath|LINK
My existing ASP.NET web application uses a div (set to runat="server") to show disclaimers. This is set using div.InnerHtml property. These disclaimers contain <b>, <br/> tags to show the disclaimers text accordingly.
ex: disclaimerDiv.InnerHtml = disclaimerMsg;
On veracode submission, these were pointed as potential threats.
I tried using Anti XSS library's Sanitizer.GetSafeHtmlFragment() method, but the required tags were removed.
Is there a better way of doing this? Please advice.
Jul 07, 2014 10:10 AM|AidyF|LINK
It depends where the disclaimers come from. If they come from a datasource your control, ie you input them into a database via an admin system, then outputting them direct to the screen is fine and you should just mark it as an allowed exception. The tool
is just there to guide you and suggest areas that you should think about, it's not there to dictate what you must and must not do.
Jul 08, 2014 06:50 AM|vinodkumar.ravinath|LINK
Thanks for the reply AidyF. The source is from an xml file.
I did not understand "mark it as an allowed exception". Did you mean that it would be a mitigation by design?
i totally agree with you on the tool being a guide to suggest areas to think about. Given that there are high standards being set now, this issue is being considered critical. Any other suggestions would be very helpful.
Thanks again for the reply.
Jul 08, 2014 07:58 AM|AidyF|LINK
I've never used the exact tool you're using, but I've used others and I'm assuming there is some way you can mark your code (via an attribute or a special comment) that tells the tool to ignore that instance of a fault.