Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document

In my previous post, I provided a list of which ASP.NET HTML control property that offers automatic HTML encoding. As a side note, I was made aware that an older version of that file is available from the support files of the Hunting Security Bugs book. I initially received this document from Tom Gallagher team and made some updates regarding BaseValidator and child classes ErrorMessage property so the version I posted is more up to date. I'll remind the book authors to update the file on their side.

The document was targeted to ASP.NET 2.0 developers who were interested to know which control doesn't offer encoding to mitigate against XSS problems. The document is also very useful during code review and I've decided to quickly plug it into FxCop so it can quickly spot areas that should be reviewed.

The rule will load the control encoding information stored in asp_controls.xml and will apply the following logic:

  • If properties that don't offer encoding are used, it will be listed in the FxCop result
  • If it finds a property that offers encoding but that property is bound to html attribute, it will spot it to make sure that users cannot inject things like javascript: or other handlers
    • In the future, it will only show cases where the attribute can be executed. I'm currently looking to potentially integrate the rule with the script mapping project from WASC.

This will give a detailed list of items to review. The aim is not to automatically detect XSS but to identify spots in the code that should be reviewed.


  1. Simply unzip the files and put them in the FxCop Rules folder (C:\Program Files\Microsoft FxCop 1.36\Rules)
  2. Launch FxCop
  3. The rule can be selected from the Rules tab under the Html Review section