Cross-Site Scripting fix issue
Issue description :-
My current assignment on my project is fixing Cross-site scripting - Persistent and Reflected threats which are raised by Fortify. As per recommendation, I've created a wrapper class where I have done Encoding and Decoding string values using HttpUtility.Encode and Decode as such. Though Fortify doesn't understand my fix and says again its threat during my scan. Please help me what is the actual approach for this issues and recommendation. Please find my code below and let me know what is wrong on it.
My Code :-
var TestName = c.Name; //c is a Business Object class.
LiteralControlId.Text = Server.Decode(TestName);
In addition to adding this wrapper code, did you review the Wrapper Detection settings and Set Dataflow Analysis Values in the SCA User Guide? It may be that SCA is not identifying your wrapper and so it is seeing the input and remaining not sanitized.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify