Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
5696 views

Cross-Site Scripting fix issue

Issue description :-

My current assignment on my project is fixing Cross-site scripting - Persistent and Reflected threats which are raised by Fortify. As per recommendation, I've created a wrapper class where I have done Encoding and Decoding string values using HttpUtility.Encode and Decode as such. Though Fortify doesn't understand my fix and says again its threat during my scan. Please help me what is the actual approach for this issues and recommendation. Please find my code below and let me know what is wrong on it.

My Code :-

var TestName = c.Name; //c is a Business Object class.

LiteralControlId.Text = Server.Decode(TestName);

Labels (1)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

In addition to adding this wrapper code, did you review the Wrapper Detection settings and Set Dataflow Analysis Values in the SCA User Guide?  It may be that SCA is not identifying your wrapper and so it is seeing the input and remaining not sanitized.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.