C#: Add Xss attribute collection test example and update expected output.

michaelnebel · michaelnebel · commit 28c48fb47104 · 2024-09-25T14:12:55.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected
@@ -1,5 +1,5 @@
-| script.aspx:4:1:4:23 | <%= ... %> | XSS.cs:115:16:115:29 | someJavascript |
-| script.aspx:8:1:8:12 | <%= ... %> | XSS.cs:122:24:122:28 | Field |
+| script.aspx:4:1:4:23 | <%= ... %> | XSS.cs:120:16:120:29 | someJavascript |
+| script.aspx:8:1:8:12 | <%= ... %> | XSS.cs:127:24:127:28 | Field |
 | script.aspx:12:1:12:14 | <%= ... %> | <outside test directory> | Request |
 | script.aspx:16:1:16:34 | <%= ... %> | <outside test directory> | QueryString |
 | script.aspx:20:1:20:41 | <%= ... %> | <outside test directory> | QueryString |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs
@@ -17,6 +17,7 @@ class XSS
         Table table;
         Label label;
         string connectionString;
+        public Button button;
 
         public void WebUIXSS()
         {
@@ -100,6 +101,10 @@ public void HtmlEncoded(HttpContextBase context)
             // GOOD: HTML encoding
             string name = context.Request.QueryString["name"];
             new StringContent(HttpUtility.HtmlEncode(name));
+
+            // GOOD: Implicit HTML encoding
+            string html = context.Request.QueryString["html"];
+            button.Attributes.Add("data-href", html);
         }
 
         public void UrlEncoded(HttpContextBase context)
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected
