dotnet / docs

This repository contains .NET Documentation.
https://learn.microsoft.com/dotnet
Creative Commons Attribution 4.0 International
4.3k stars 5.92k forks source link

CA3009 - shall you mention sanitizers? #24581

Open Mikejo5000 opened 3 years ago

Mikejo5000 commented 3 years ago

Ported from MicrosoftDocs/visualstudio-docs#4996 (missed this one in the earlier ports)

@Evangelink originally wrote:

I am wondering whether the documentation shall be updated to list the sanitizers. WDYT?

See linked issue for full discussion.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Mikejo5000 commented 3 years ago

Key issue remaining from the original:

@Mikejo5000 Sorry to bother you but looking at the doc for this rule I think it would be better to have either a table listing the sanitizers or to have a separate documentation page to refer too.

Here is the list I have extracted from the code (note that I didn't put the url link to the documentation for each method but it might be nice to do so).

XML sanitizers Microsoft.Security.Application.AntiXss.XmlAttributeEncode Microsoft.Security.Application.AntiXss.XmlEncode Microsoft.Security.Application.Encoder.XmlAttributeEncode Microsoft.Security.Application.Encoder.XmlEncode System.Web.Security.AntiXss.AntiXssEncoder.XmlAttributeEncode System.Web.Security.AntiXss.AntiXssEncoder.XmlEncode

Primitive type conversion bool.Parse bool.TryParse byte.Parse byte.TryParse char.Parse char.TryParse short.Parse short.TryParse int.Parse int.TryParse long.Parse long.TryParse float.Parse float.TryParse double.Parse double.TryParse decimal.Parse decimal.TryParse System.DateTime.Parse System.DateTime.TryParse System.TimeSpan.Parse System.TimeSpan.TryParse System.Number.ParseInt32 System.Number.ParseInt64 System.Number.TryParseInt32 System.Number.TryParseInt64

blowdart commented 3 years ago

Note that encoding is not sanitizing. They are two different concepts. Calling the classes above sanitizers is technically incorrect and should be avoided.

Evangelink commented 3 years ago

@blowdart You are right! Currently they are considered as sanitizers in the analyzer implementation (hence this naming here) which might be a bug but will need to be discussed on the analyzer repository.