Open Mikejo5000 opened 3 years ago
Key issue remaining from the original:
@Mikejo5000 Sorry to bother you but looking at the doc for this rule I think it would be better to have either a table listing the sanitizers or to have a separate documentation page to refer too.
Here is the list I have extracted from the code (note that I didn't put the url link to the documentation for each method but it might be nice to do so).
XML sanitizers Microsoft.Security.Application.AntiXss.XmlAttributeEncode Microsoft.Security.Application.AntiXss.XmlEncode Microsoft.Security.Application.Encoder.XmlAttributeEncode Microsoft.Security.Application.Encoder.XmlEncode System.Web.Security.AntiXss.AntiXssEncoder.XmlAttributeEncode System.Web.Security.AntiXss.AntiXssEncoder.XmlEncode
Primitive type conversion bool.Parse bool.TryParse byte.Parse byte.TryParse char.Parse char.TryParse short.Parse short.TryParse int.Parse int.TryParse long.Parse long.TryParse float.Parse float.TryParse double.Parse double.TryParse decimal.Parse decimal.TryParse System.DateTime.Parse System.DateTime.TryParse System.TimeSpan.Parse System.TimeSpan.TryParse System.Number.ParseInt32 System.Number.ParseInt64 System.Number.TryParseInt32 System.Number.TryParseInt64
Note that encoding is not sanitizing. They are two different concepts. Calling the classes above sanitizers is technically incorrect and should be avoided.
@blowdart You are right! Currently they are considered as sanitizers in the analyzer implementation (hence this naming here) which might be a bug but will need to be discussed on the analyzer repository.
Ported from MicrosoftDocs/visualstudio-docs#4996 (missed this one in the earlier ports)
@Evangelink originally wrote:
I am wondering whether the documentation shall be updated to list the sanitizers. WDYT?
See linked issue for full discussion.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.