以下是checkmarx报告已声明XSS风险的代码。
public string MasterPage(string name)
{
var img = string.Empty;
SqlConnection dataConnection1 = new SqlConnection(conn);
SqlCommand dataCommand2 = dataConnection1.CreateCommand();
// dataCommand2.CommandText = "select Uid from Usrtable where Uname = @Uname";
dataCommand2.CommandText = "select Uimage from Usrtable where Uname = @Uname";
dataCommand2.Parameters.AddWithValue("@Uname", name.ToString());
dataConnection1.Open();
// int id = (int)(dataCommand2.ExecuteScalar());
img =(string) dataCommand2.ExecuteScalar();
dataConnection1.Close();
}
UI
<asp:Image ID="Image1" Runat="server" />
aspx.cs
var img = logic.MasterLogic(name);
Image1.ImageUrl = @"images" + "/" + img.ToString();//images is a folder.Getting img from database table. img is the image path saved in the db.The report points at this line for vulnerability.
Image2.ImageUrl = @"images" + "/" + img.ToString();
string clientname = Session["clientname"].ToString();
Client.Text = Session["clientname"].ToString();
该报告称为;数据类文件从中获取数据 数据库,用于ExecuteScalar元素。然后,该元素的值不经过代码流过代码 正确过滤或编码,最终在方法Page_Load(aspx.cs)
中显示给用户