Home > database >  Why this file read got flagged as Cross Site Scripting?
Why this file read got flagged as Cross Site Scripting?

Time:09-01

Corporate run all of our source code through a vulnerability scanning software, and the following line got flagged as Cross Site Scripting:

divFooter.InnerHtml = Utilities.Utils.ReadFromTextFile(System.IO.Path.Combine(Folders.Templates, Constants.Files.Templates.FooterEN));

Where Constants.Files.Templates.FooterEN is a const string and Folders.Templates is calculated by: Path.Combine(System.Web.HttpContext.Current.Request.PhysicalApplicationPath, "Templates").

Why is reading a template file XSS? They are in the same folder as the html files, so they are not less secure.

CodePudding user response:

It might be a false positve. The tool probably flags every assignment to InnerHtml that comes from sensitive sinks, in this case ReadFromTextFile.

In your particular case it may not be a real vulnerability, now imagine if the text file was submitted somewhere by the user, it would result in a real XSS vulnerability.

The tool analyzes statically the code, so it does not know if the result of Path.Combine(System.Web.HttpContext.Current.Request.PhysicalApplicationPath, "Templates") is secure or not.

Page link:https//www.codepudding.com/database/529415.html

Prev:The best way to save DateTime in string and the parse it back
Next:Why I cannot delete Database column programmatically?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding