Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in.
1[HttpGet]
2public string Get(string untrusted)
3{
4 // Noncompliant: Directly use untrusted data from input
5 return "value " + untrusted;
6}
1[HttpPost]
2[ValidateAntiForgeryToken]
3public string Post(string untrusted)
4{
5 // Compliant: Encode untrusted data before use
6 return "value " + HttpUtility.HtmlEncode(untrusted);
7}