CA5363: Do not disable request validation
Property | Value |
---|---|
Rule ID | CA5363 |
Title | Do not disable request validation |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
The attribute ValidateInput
is set to false
for a class or method.
Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content that can lead to injection attacks, including cross-site-scripting.
Set the ValidateInput
attribute to true
or delete it entirely. Alternatively, use AllowHTMLAttribute
to allow HTML in specific parts of the input.
You can suppress this violation if all the payload in the incoming HTTP request is sourced from a trusted entity and could not be tampered with by an adversary prior to or during transport.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5363
// The code that's violating the rule is on this line.
#pragma warning restore CA5363
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5363.severity = none
For more information, see How to suppress code analysis warnings.
The following pseudo-code sample illustrates the pattern detected by this rule. This disables input validation.
using System.Web.Mvc;
class TestControllerClass
{
[ValidateInput(false)]
public void TestActionMethod()
{
}
}
using System.Web.Mvc;
class TestControllerClass
{
[ValidateInput(true)]
public void TestActionMethod()
{
}
}
.NET feedback
.NET is an open source project. Select a link to provide feedback: