gene gene - 6 months ago 68
C# Question

Cannot fix cross-site scripting error

Done everything I could with the code to fix it but Veracode still gives error for the following code:

Byte[] bytes = (Byte[])dt.Rows[i]["Content"];
Response.Buffer = true;
Response.ContentType = StringEncode(HttpUtility.HtmlEncode(dt.Rows[i]["Extension"].ToString()));
Response.AddHeader("content-disposition", "attachment;filename=" + StringEncode(HttpUtility.HtmlEncode(dt.Rows[0]["FileName"].ToString())));

It points to the line with

What should be done?
Any suggestions?


I think you can safely mark this as a false positive when your users are using modern browsers.

Setting content disposition to download the response as an attachment should prevent any scripting from being executed in the browser. It appears that Veracode has not picked up the fact that you are doing this.

Note that old browsers like IE 6/7 will ignore the the content-disposition header if they already have the response cached. You could possibly detect the cases when these browsers are used and prevent the content from loading in these browsers.