codeql/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.cs

using System;
using System.Net;
using System.Net.Http;
using System.Text;
using System.Web;
using System.Web.Mvc;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections.Specialized;
namespace Test
{
    class XSS
    {
        TextBox categoryTextBox;
        Calendar calendar;
        Table table;
        Label label;
        string connectionString;

        public void WebUIXSS()
        {
            // BAD: Reading from textbox, then writing an amended value to a control that does not HTML encode
            StringBuilder userInput = new StringBuilder();
            userInput.AppendFormat("{0} test", categoryTextBox.Text);
            calendar.Caption = userInput.ToString();
            table.Caption = userInput.ToString();
            label.Text = userInput.ToString();

            // GOOD: Reading from textbox, then writing an amended value to a control that does HTML encode
            categoryTextBox.Text = userInput.ToString();
        }

        public void processRequest(HttpContext context)
        {
            // BAD: Read user input from a request, write it straight to a response
            string name = context.Request.QueryString["name"];
            context.Response.Write(name);

            // GOOD: Read user input from a request, but encode it before writing to the response
            string name2 = context.Request.QueryString["name"];
            name2 = HttpUtility.HtmlEncode(name2);
            context.Response.Write(name2);
        }

        public void processNumber(HttpContext context)
        {
            // GOOD: Read user input from a request, but parse it
            string stringCount = context.Request.QueryString["count"];
            int count = int.Parse(stringCount);
            context.Response.Write(count.ToString());
        }

        public void mvcProcess(HttpContext context)
        {
            // BAD: Mimic what happens in cshtml pages
            string name = context.Request.Unvalidated.QueryString["name"];
            HtmlHelper html = new HtmlHelper(null, null);
            html.Raw(name);
        }

        public void listener(HttpContext context)
        {
            // BAD: Writing user input directly to a HttpListenerResponse
            string name = context.Request.Unvalidated.QueryString["name"];
            HttpListener listener = new HttpListener();
            HttpListenerContext listenerContext = listener.GetContext();
            byte[] data = Encoding.ASCII.GetBytes(name);
            listenerContext.Response.OutputStream.Write(data, 0, data.Length);
        }

        public void contextBase(HttpContextBase context)
        {
            // BAD: Writing user input directly to a HttpListenerResponse
            string name = context.Request.QueryString["name"];
            context.Response.Write(name);
            // BAD: Writing user input directly to a HttpListenerResponse
            string name2 = context.Request["name"];
            context.Response.Write(name2);
        }

        public void htmlStrings(HttpContextBase context)
        {
            // BAD: Writing user input into a HtmlString without encoding
            string name = context.Request.QueryString["name"];
            new HtmlString(name);
            new MvcHtmlString(name);
            new MyHtmlString(context.Request);
        }

        public void WebContent(HttpContextBase context)
        {
            // BAD: Writing user input into a StringContent without encoding
            string name = context.Request.QueryString["name"];
            new StringContent(name);
        }

        public void HtmlEncoded(HttpContextBase context)
        {
            // GOOD: HTML encoding
            string name = context.Request.QueryString["name"];
            new StringContent(HttpUtility.HtmlEncode(name));
        }

        public void UrlEncoded(HttpContextBase context) {
            // GOOD: URL encoding
            string name = context.Request.QueryString["name"];
            new StringContent(HttpUtility.UrlEncode(name));
        }
    }

    class XSSPage : Page
    {
        string someJavascript()
        {
            // actually testing this sink involves putting local paths into the results
            //return Request.QueryString["yolo"];
            return "someJavascript";
        }

        private string Field { get; set; }
    }

    class MyHtmlString : IHtmlString
    {
        private HttpRequestBase Request { get; set; }
        public MyHtmlString(HttpRequestBase request)
        {
            this.Request = request;
        }

        public string ToHtmlString()
        {
            return Request.RawUrl;
        }
    }
}

namespace System.Net
{
    public class HttpListenerResponse
    {
        public System.IO.Stream OutputStream => null;
    }

    class HttpListenerContext
    {
        public HttpListenerResponse Response => null;
    }

    class HttpListener
    {
        public HttpListenerContext GetContext() => null;
    }
}