This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sanitizing an object to satisfy Cross-site Scripting Content sniffing

I have Fortify ssc scanning my java spring boot project. I have a simple controller that returns an object from the database. 

 @PostMapping("getMyItems")
  public Item getMyItems(@RequestBody int itemids, HttpServletRequest request)
  {
    return itemService.getMyItems(itemids, request);
  }
and Item is a class with 3 strings and an int as attributes. All 3 strings are being sanitized (html encoded) by an apache library. I've tried other libraries as well and fortify still 
considers this a vulnerability. Is this normal, or am I doing something wrong? 
Further information: 
The example above appears as a Medium criticality vulnerability. I had the same vulnerability appear on the Critical category except they were simple Strings being returned to the 
user. Once I sanitized those strings with the apache library, fortify would mark those vulnerabilities as resolved. So clearly this is the solution to XSS content sniffing, but for some reason
fortify does not recognize when an object is sanitized. Am I correct to assume this?