Question Cross-Site Scripting: Reflected flagged

[snowfrost80]

The following codes are flagged out in my cs file by Fortify even after I have added the AntiXss. May I know how do I resolve this?

protected void Page_Load(object sender, EventArgs e)
{
    if (!Page.IsPostBack)
    {
        lblMessage.Text = txtEmail.Text =
            System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(string.Empty,true);
    }
}

 

[Skydiver]

Most of us don't have Fortify. Can you at least tell us what the exact message that Fortify shows with regards to some items being flagged?

Personally, I would just delete lines 3-7 and not give Fortify anything to complain about. My reasoning is this: Since it's not a postback, then the default state of text boxes and labels are empty strings -- unless you were settings these controls to be non-empty while using the WebForms designer.

And if you absolutely must set these to be empty strings because you did set the default values in the WebForms designer, then use 2 separate lines which is inline with the C# coding recommendations. Although C# supports the C++ style stacking like you are doing, it's really a poor programming practice. Gone are the C and C++ days of trying to conserve lines because of the more lines you had, the slower the compiler would run. Modern programming encourages writing more expressive code that is easy to understand. So write your code as:

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        lblMessage.Text = string.Empty;
        txtEmail.Text = string.Empty;
    }
}