11-11-2020, 07:33 PM
I am adding to this thread so everyone has the final update.
Since there is a large list of the cross site scripting (see https://portswigger.net/web-security/cro...heat-sheet) that "according to the testing company" can be used against a website through parameters, I ended up blocking all of the parameters by the servercontroller->OnParseParameter. I then wrote code to handle the params that I did want to allow.
This passed the security audit checks so I am moving on.
Since there is a large list of the cross site scripting (see https://portswigger.net/web-security/cro...heat-sheet) that "according to the testing company" can be used against a website through parameters, I ended up blocking all of the parameters by the servercontroller->OnParseParameter. I then wrote code to handle the params that I did want to allow.
This passed the security audit checks so I am moving on.