veracode

I have the following php code <?php $Output = '<table><thead><tr>'; $Output .= '<th>Display</th></tr></thead><tbody>'; for ($k = 0; $k < count($ColumnsInSQL); $k++) { $Output .= '<tr><td>'.$KS_ResultSet_level[$k][strtoupper(trim($ColumnsInSQL[$k]))].'</td></tr>'; } $Output .= '</tbody></table>'; echo $Output; ?> Recently I run the code in Veracode and I am getting issue with "echo $Output;" . Can anyone please help me to fix this? Use htmlentities() to encode special characters in the variable data. $Output .= '<tr><td>'.htmlentities($KS_ResultSet_level[$k][strtoupper(trim($ColumnsInSQL[$k]))]

I have this code that stores file to server: function void StoreFile(string inputFileName) { ... var extension = Path.GetExtension(inputFileName); if(extension == ".csv") { var fileName = string.Format("{0}_{1}{2}", Session.SessionID, new Guid(), extension); var dataFileServerPath = _documentService.getPath(fileName, UserProfile.UserName, UserProfile.SourceID); if(!string.IsNullOrEmpty(dataFileServerPath)) { try { using(FileStream dataFile = new FileStream(dataFileServerPath, FileMode.Create)) { .... } } cathc(Exception e) { ... } } } else { throw new NotSupportedFormatError(); } } Aftrer

I have done the following... private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig) { return new QcDbConnectionProvider(() => { SqlConnectionStringBuilder csBuilder = new SqlConnectionStringBuilder(); if (!string.IsNullOrEmpty(dbConfig.DataSource)) csBuilder.DataSource = dbConfig.DataSource; if (!string.IsNullOrEmpty(dbConfig.Database)) csBuilder.InitialCatalog = dbConfig.Database; . . . . return new SqlConnection(csBuilder.ConnectionString); }); } The client is using VERACODE tool for doing code analysis and the VERACODE has detected a flaw "Untrusted

var xDoc = XDocument.Load(fileName); I am using above code in a function to load an XML file. Functionality wise its working fine but it is showing following Veracode Flaw after Veracode check. Description The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line rev.ErrorMessage = msg; Following is the function in the WebControlAdapterExtender class. static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression) { if (rev != null) { rev.CssClass = className; rev.ControlToValidate = controlToValidate; rev.ErrorMessage

After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment: protected override void InitializeCulture() { //If true then setup the ability to have a different culture loaded if (AppSettings.SelectLanguageVisibility) { //Create cookie variable and check to see if that cookie exists and set it if it does. HttpCookie languageCookie = new HttpCookie("LanguageCookie"); if (Request.Cookies["LanguageCookie"] != null) languageCookie = Request.Cookies["LanguageCookie"]; //Check to see if