- Start Visual Studio and click on File | New| Project... and create a new Visual C# | Web | ASP.NET Web Application with the MVC template, say WebApplication:
- Install the Puma.Security.Rules analyzers NuGet package (at the time of writing, the latest stable version is 1.0.4). For guidance on how to search and install analyzer NuGet package to a project, refer to the recipe Searching and installing analyzers through the NuGet package manager in Chapter 2, Consuming Diagnostic Analyzers in .NET Projects.
- Open Views | _ViewStart.cshtml file and add the following text at the end of the file:
<div>
@Html.Raw(string.Format("Welcome <span class="bold">{0}</span>!", ViewContext.ViewBag.UserName))
@{
WriteLiteral(string.Format("Welcome <span class="bold">{0}</span>!", ViewContext.ViewBag.UserName));
}
</div>
- Select _ViewStart.cshtml in the solution explorer and change its Build Action from Content to AdditionalFiles using the Properties window below and save the project.
- Add a new Web Form to the project, say WebForm.aspx, and the following HTML heading with a raw inline expression to the form:
<div>
<h2>Welcome <%= Request["UserName"].ToString() %></h2>
</div>
- Select WebForm.aspx in the solution explorer and change its Build Action from Content to AdditionalFiles using the Properties window below and save the project.
- Build the project in Visual Studio or command line and verify you get following SECXXXX warnings from the PUMA scan analyzer:
- Replace the HTML division element added to _ViewStart.cshtml in step 3 with the following:
<div>
Welcome <span class="bold">@ViewContext.ViewBag.UserName</span>!
</div>
- Replace the HTML division element added to WebForm.aspx in step 5 with the following:
<div>
<h2>Welcome <%: Request["UserName"].ToString() %></h2>
</div>
- Build the project again and verify it compiles without any security warnings.