CA5363: Do not disable request validation

Property Value
Rule ID CA5363
Title Do not disable request validation
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

The attribute ValidateInput is set to false for a class or method.

Rule description

Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content that can lead to injection attacks, including cross-site-scripting.

How to fix violations

Set the ValidateInput attribute to true or delete it entirely. Alternatively, use AllowHTMLAttribute to allow HTML in specific parts of the input.

When to suppress warnings

You can suppress this violation if all the payload in the incoming HTTP request is sourced from a trusted entity and could not be tampered with by an adversary prior to or during transport.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5363
// The code that's violating the rule is on this line.
#pragma warning restore CA5363

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5363.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

The following pseudo-code sample illustrates the pattern detected by this rule. This disables input validation.

using System.Web.Mvc;

class TestControllerClass
{
    [ValidateInput(false)]
    public void TestActionMethod()
    {
    }
}

Solution

using System.Web.Mvc;

class TestControllerClass
{
    [ValidateInput(true)]
    public void TestActionMethod()
    {
    }
}