CX Stored_XSS @ WebSite/BusinessLogic/Data/ProductRepository.cs [master]

[kmcdon83]

Stored_XSS issue exists @ WebSite/BusinessLogic/Data/ProductRepository.cs in branch master

Method GetTopProducts at line 20 of WebSite\BusinessLogic\Data\ProductRepository.cs gets data from the database, for the Orders element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method Page_Load at line 10 of WebSite\Default.aspx.cs. This may enable a Stored Cross-Site-Scripting attack.

Severity: High
CWE:79
Vulnerability details and guidance
Lines: 23 25 31

---

Code (Line #23):

            var topProducts = (from o in _context.Orders

---

Code (Line #25):

                               join od in _context.OrderDetails on o.OrderId equals od.OrderId

---

Code (Line #31):

                topProducts = _context.Products.OrderByDescending(p => p.UnitPrice).Take(NumberOfProductsToReturn).ToList();

---

[kmcdon83]

Issue still exists.