Below is the code for retrieving datatable from database
protected DataTable ExecuteDataTableSQL(string strSQL)
{
using (OracleConnection connection = new OracleConnection(_strConnectionString))
{
dbAdapter.SelectCommand.Connection = connection;
connection.Open();
DataTable dtResult = new DataTable();
try
{
OracleCommand comm = dbAdapter.SelectCommand;
comm.CommandText = strSQL;
comm.CommandType = CommandType.Text;
dbAdapter.Fill(dtResult);
}
catch (Exception ex)
{
throw (ex);
}
return dtResult;
}
}
Below is the simplified code I am using the above method
DataTable dtResult = new DataTable();
string strSQL="some select statement";
dtResult = ExecuteDataTableSQL(strSQL);
if (dtResult.Rows.Count > 0)
{
DataGrid dg = new DataGrid();
dg.DataSource = dtResult;
dg.DataBind();
}
Checkmarx reports this as stored XSS as gets data from the database, for the dtResult element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method
source: dbAdapter.Fill(dtResult);
destination: dg.DataSource = dtResult;
How to resolve the issue.