XSS Vulnerability found in RowCommand function with e.CommandArgument

i'm using Checkmarx to scan a web application and i have noticed a lot of threats are found everytime i use e.CommandArgument in a RowCommand function. Example:

Protected Sub gvwModifySend_RowCommand(ByVal sender As Object, ByVal e As GridViewCommandEventArgs) Handles gvwModifySend.RowCommand
    Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)
    Select Case e.CommandName
        Case "Copy"
        //code
        Case "Modify"
        //code
        Case "OpenToModify"
        //code
    End Select
End Sub

I have tried using the antiXSS library like this:

Dim commandArg As String = AntiXssEncoder.HtmlEncode(e.CommandArgument, False)

But the scan keeps returning :

Method gvwModifySend_RowCommand at line 520 of ............\controls\mypage.ascx.vb gets user input from the commandargument element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a query to the application server’s cached data, in CopyDocument at line 1131 of ............\modifyAndSendDocs.ascx.vb. This may enable a Data Filter Injection attack.

It pretty much looks like a false positive threat but wanted to ask if you guys use something better to prevent checkmarx or any other security tool from returning threats like this. Thanks you in advance


The reported vulnerability is not XSS, it is Data Filter Injection. You can click the ? next to the query name to get a detailed description.

The essence of it is that code you aren't showing is likely concatenating the value from e.CommandArgument to query something like the session cache, which means XSS escaping won't do anything to stop someone from providing an arbitrary value that is then used as the query criteria.

The assuming the version of SAST you're using supports the AntiXssEncoder namespace (I am looking at 9.4 at the moment, but it may be in the CxQL for previous versions), it specifically ejects HtmlEncode as a sanitizer for this particular vulnerability. You may try:

  • AntiXssEncoder.CssEncode
  • AntiXssEncoder.HtmlFormUrlEncode
  • AntiXssEncoder.UrlEncode
  • AntiXssEncoder.XmlAttributesEncode
  • AntiXssEncoder.XmlEncode

Using filtered from this snippet would probably work too:

Dim filtered As String = e.CommandArgument.Replace("'", "")