Fortify error: The method xxx() in xxx.java sends unvalidated data to a web browser using ResponseEntity

Question

Getting the following Fortify error:

The Fortify description is: The method xxx() in xxx.java sends unvalidated data to a web browser on line 168, which can result in the browser executing malicious code.

This is our code in Java that sends an Ajax response.

@ResponseBody
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@POST
@RequestMapping(value = "/onConfirmSubmit")
public ResponseEntity<String> onConfirmSubmit(@RequestBody @Valid final Form form,
        final HttpServletRequest request, final HttpServletResponse response)
        throws Exception, ServiceException {
    final HttpHeaders headers = new HttpHeaders();
    headers.set(CONTENT_TYPE, MediaType.APPLICATION_JSON);
    HttpStatus responseStatus = HttpStatus.OK;
    handler.populateData(form);
    String body = handler.processRequest(form, request);
    return ResponseEntity.status(responseStatus).body(body);
}

Possible duplication of [https://stackoverflow.com/questions/8074248/how-to-fix-xss-vulnerabilites](https://stackoverflow.com/questions/8074248/how-to-fix-xss-vulnerabilites) — R.Laney, Jan 26 '18 at 20:39
Is it `handler.processRequest` that's the issue? How is it creating the JSON data? — fgb, Jan 27 '18 at 11:01
Yes @fgb that's the issue. I am returning some data that's coming in the form. I have added the following in the handler.processRequest before creating the JSON response: `ESAPI.encoder().encodeForHTML` — Alan Robles, Jan 29 '18 at 19:03
JSON shouldn't be html encoded. If you're reading it with `JSON.parse` or similar on the client then it can't execute any scripts, unless you have some other DOM-based vulnerability. — fgb, Jan 29 '18 at 23:57

Fortify error: The method xxx() in xxx.java sends unvalidated data to a web browser using ResponseEntity

0 Answers0