Issue while my asp.net, c# code is scanned.

The following is the XSS issue displayed when my code is scanned through fortify: 

-------------

Cross-Site Scripting:

Persistent

(Input Validation and Representation, Data Flow)

 

The method GetDocument() in RendDoc.ashx.cs sends unvalidated data to a web browser on line 160, which can result in the browser executing malicious code.

------------------------------

The following is the code which fortify is scanning..The 3 lines prefixed with ** are the ones which fortify shows issues.PLease let me know any other how to handle this, so that Im not displayed this issue.

public void GetDocument()

        {

            ServiceClient dm = null;

            SomeService.SomeServiceSoapClient InternalService = null;

 

            //Use service based on if using Windows Authentication

            if (HttpContext.Current.Request.IsAuthenticated && HttpContext.Current.User.Identity is WindowsIdentity)

                InternalService = new SomeService.SomeServiceSoapClient("ServiceNetTcpEndpoint");

           else

                dm = new ServiceClient("SomeServicewsHttpEndpoint");            

 

            try

            {

                byte[] DocArray;

                //DocArray = dm == null ? InternalService.GetFile(DocId) : dm.GetFile(DocId);

                if (dm == null)

                {

                    //Wrapper for impersonation

                    using (WindowsImpersonationContext cxt = (Thread.CurrentPrincipal.Identity as WindowsIdentity).Impersonate())

                        **DocArray = InternalService.GetFile(DocId);

                }

                else

                  **  DocArray = dm.GetFile(DocId);

 

                string fileExt2;

                string strConttenType = null;

                fileExt2 = fileExt;

 

                strConttenType = GetService.GetContenttype(fileExt2);

 

                HttpContext.Current.Response.ClearHeaders();

                HttpContext.Current.Response.ClearContent();

                HttpContext.Current.Response.BufferOutput = true;

 

                HttpContext.Current.Response.ContentType = strConttenType; // "application/msword"; // for PDF type

 

                HttpContext.Current.Response.AddHeader("Content-Disposition", "inline");

         **       HttpContext.Current.Response.BinaryWrite(DocArray);

 

                HttpContext.Current.ApplicationInstance.CompleteRequest(); //http://blogs.msdn.com/b/aspnetue/archive/2010/05/25/response-end-response-close-and-how-customer-feedback-helps-us-improve-msdn-documentation.aspx

            }

            catch (FaultException ex)

            {

                ExMgr.Publish(ex);

                dm.Abort();

            }

            catch (Exception ex)

            {

                ExMgr.Publish(ex);

            }

            finally

            {

                if (dm != null)

                {

                    if (dm.State == System.ServiceModel.CommunicationState.Faulted)

                    {

                        dm.Abort();              //Abort() is an ungraceful exit—when called, it immediately aborts all service calls in progress and shuts down the host. Active clients will each get an exception.

                    }

                    else

                    {

                        if (dm.State == CommunicationState.Opened || dm.State == CommunicationState.Opening || dm.State == CommunicationState.Created)

                        {

                            dm.Close();

                        }

                        else

                        {

                            dm.Abort();

                        }

                    }

                }

                if (InternalService != null)

                {

                    if (InternalService.State == System.ServiceModel.CommunicationState.Faulted)

                    {

                        InternalService.Abort();              //Abort() is an ungraceful exit—when called, it immediately aborts all service calls in progress and shuts down the host. Active clients will each get an exception.

                    }

                    else

                    {

                        if (InternalService.State == CommunicationState.Opened || InternalService.State == CommunicationState.Opening || InternalService.State == CommunicationState.Created)

                        {

                            InternalService.Close();

                        }

                        else

                        {

                            InternalService.Abort();

                        }

                    }

                }

            }

        }