TechQA.

Veracode CWE 80 XSS issue with writing to HttpResponse object in c#

995 views Asked by At

Does anybody have any suggestion as to what code I can add to mitigate a Veracode XSS violation that the following code is producing?

        else if (fileBytes != null && fileBytes.Length > 0)
        {
            string htmlContent = System.Web.HttpUtility.HtmlDecode((System.Web.HttpUtility.HtmlEncode(System.Text.Encoding.UTF8.GetString(fileBytes, 0, fileBytes.Length))));
            htmlContent = AntiXssEncoder.HtmlEncode(htmlContent, true);
            fileBytes = Encoding.UTF8.GetBytes(htmlContent);

            Response.Clear();
            MemoryStream ms = new MemoryStream(fileBytes);
            Response.ContentType = "text/plain";
            Response.AddHeader("content-disposition", "attachment;filename=" + fileName);
            Response.Buffer = true;
            ms.WriteTo(Response.OutputStream); // THIS IS CAUSING THE VIOLATION
            Response.End();
        }

I've tried so many different encoding options I can't even keep them all straight in my head. No matter what I do I get the following violation from Veracode.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

veracode antixsslibrary
Original Q&A
0

There are 0 answers

Related Questions in VERACODE

Related Questions in ANTIXSSLIBRARY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions