-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding insecure XML code #473
base: main
Are you sure you want to change the base?
Conversation
writer.WriteStartDocument(); | ||
|
||
// BAD: Insert user input directly into XML | ||
writer.WriteRaw("<query><address>" + id + "</address></query>"); |
Check failure
Code scanning / CodeQL
XML injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the XML injection vulnerability, we should avoid using the WriteRaw
method with user input. Instead, we can use the high-level XML API methods that automatically escape user content. Specifically, we should replace the WriteRaw
method with WriteStartElement
and WriteElementString
methods to ensure the content is appropriately escaped.
-
Copy modified lines R79-R81 -
Copy modified line R83
@@ -78,6 +78,7 @@ | ||
|
||
// BAD: Insert user input directly into XML | ||
writer.WriteRaw("<query><address>" + id + "</address></query>"); | ||
|
||
// GOOD: Use standard API, which automatically encodes values | ||
writer.WriteStartElement("query"); | ||
writer.WriteElementString("address", id); | ||
writer.WriteEndElement(); | ||
|
||
writer.WriteEndDocument(); |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files |
|
No description provided.