Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)

Fortify "Cross-Site Scripting: Poor Validation" is complaining that your OUTPUT encoding is either improper or not effective. The purpose of the output encoding (escaping) is to confine the special characters (meta char) as literal string, so they cannot be executed as a command.

To remediate, you do:

Step#1. Determine who is going to consume this "to be encoded context"?

Step#2. Properly Encode the context based on the delivery protocol and the down stream needs. For example:

• If data being consumed at the [?query] part of the URL, you need to find a function to wrap (aka encode, escape) 18 reserved characters (! * ' () ; : @ & = + $ , / ? #[]) that have special meaning to the HTTP protocol (not necessary encode the entire URL). (read RFC3986 Sec 2.2 for details)
• IF data being consumed as an XML Entity, you need to encode 5 meta characters (& < > " ') (check W3C XML Spec Sec 2.4). But, this is not always true. Data used as comment, the processing instructions, or in CDATA section don't need to be encoded.

Step#3. Collect encoding examples for future pick and use:(sorry, when post as code, some contents changed, so post as image)

need to consider overhead of ESAPI library, is it worth to load 30 MB jar for one fix?

Output encoding using light weight org.owasp.encoder library