Recently we run VeraCode on our web application. We got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the below lines
reassignButton.Attributes.Add("ReassignRefId", HttpUtility.HtmlAttributeEncode(rfid));
statusButton.Attributes.Add("ReferrelId", HttpUtility.HtmlAttributeEncode(rfid));
statusButton.Attributes.Add("onclick", "MultipleReferralButtonClick('" + rfid + "')");
Does anyone have any suggestion how to fix this?
I Solved it using Microsoft.Security.Application.Encoder.HtmlAttributeEncode(). See the below code..
reassignButton.Attributes.Add("ReassignRefId", Microsoft.Security.Application.Encoder.HtmlAttributeEncode(rfid));
statusButton.Attributes.Add("ReferrelId", Microsoft.Security.Application.Encoder.HtmlAttributeEncode(rfid));
statusButton.Attributes.Add("onclick", "MultipleReferralButtonClick('" + Microsoft.Security.Application.Encoder.HtmlAttributeEncode(rfid) + "')");