|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Security Considerations in Using Snippets
IntelliSense code snippets installed by Visual Studio are not in themselves a security hazard. Depending on where they are used and how they are modified, they can create security risks in your application. Snippets downloaded from the Internet should be treated like any other downloaded content.
When downloading snippet files from the Internet, be aware of the following:
A file extension of .snippet does not guarantee that the file contains plain-text XML. To be safe, download from sites you trust, and use up-to-date virus software.
The Help URL that is part of the snippet file can potentially execute a malicious script file or display an offensive Web site. The Help URL is not displayed in the Code Editor when you insert the snippet, but it is visible if you edit the snippet file in the XML Editor or another editor such as Notepad.
The code itself could contain code that can damage your system if you execute it. Read the source carefully before running it. Some of the code many be in collapsed #Region Directive sections. Expand these sections to read the code.
The snippet may contain references. These references are added silently to your project and may be loaded from anywhere on your system. These references may have been downloaded to your computer from where you downloaded the snippet. The snippet may then make a call to a method in the reference that executes malicious code. To protect yourself against such an attack, read the snippet file carefully before inserting the snippet, and download from sites you trust.
How secure a snippet is depends on where it is used in the source code and how it is modified once it is in the code. The following list contains a few of the areas that must be considered:
File and database access
Code access security
Protecting resources (such as event logs, registry)
Passing data to scripting technologies
For more information, see Securing Applications.