Rule Wars
All rules
CA5363Security Enabled by default: No

Do not disable request validation

Do not disable request validation

Microsoft docs

Description

Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content that can lead to injection attacks, including cross-site-scripting.

Cause

The attribute ValidateInput is set to false for a class or method.

How to fix violations

Set the ValidateInput attribute to true or delete it entirely. Alternatively, use AllowHTMLAttribute to allow HTML in specific parts of the input.

Example

using System.Web.Mvc;

class TestControllerClass
{
    [ValidateInput(false)]
    public void TestActionMethod()
    {
    }
}

using System.Web.Mvc;

class TestControllerClass
{
    [ValidateInput(true)]
    public void TestActionMethod()
    {
    }
}

When to suppress

You can suppress this violation if all the payload in the incoming HTTP request is sourced from a trusted entity and could not be tampered with by an adversary prior to or during transport.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0