1. Start Visual Studio and click on File | New| Project... and create a new Visual C# | Web | ASP.NET Web Application with the MVC template, say WebApplication:

2. Install the Puma.Security.Rules analyzers NuGet package (at the time of writing, the latest stable version is 1.0.4). For guidance on how to search and install analyzer NuGet package to a project, refer to the recipe Searching and installing analyzers through the NuGet package manager in Chapter 2, Consuming Diagnostic Analyzers in .NET Projects.

3. Open Views | _ViewStart.cshtml file and add the following text at the end of the file:

<div>
 @Html.Raw(string.Format("Welcome <span class="bold">{0}</span>!", ViewContext.ViewBag.UserName))

 @{
   WriteLiteral(string.Format("Welcome <span class="bold">{0}</span>!", ViewContext.ViewBag.UserName));
 }
</div>

4. Select _ViewStart.cshtml in the solution explorer and change its Build Action from Content to AdditionalFiles using the Properties window below and save the project.
5. Add a new Web Form to the project, say WebForm.aspx, and the following HTML heading with a raw inline expression to the form:

<div>
 <h2>Welcome <%= Request["UserName"].ToString() %></h2>
</div>

6. Select WebForm.aspx in the solution explorer and change its Build Action from Content to AdditionalFiles using the Properties window below and save the project.
7. Build the project in Visual Studio or command line and verify you get following SECXXXX warnings from the PUMA scan analyzer:

8. Replace the HTML division element added to _ViewStart.cshtml in step 3 with the following:

<div>
 Welcome <span class="bold">@ViewContext.ViewBag.UserName</span>!
</div>

9. Replace the HTML division element added to WebForm.aspx in step 5 with the following:

<div>
 <h2>Welcome <%: Request["UserName"].ToString() %></h2>
</div>

10. Build the project again and verify it compiles without any security warnings.