Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
New Member.

SCA - Custom Cross Site Scripting Encoder Recognition?

We have a custom static java method that handles stripping and converting characters per the OWASP XSS Prevention Cheat Sheet. Unfortunately SCA doesn't recognize strings passed through this function as having been validated. 

We'd like to resolve this, but I can't seem to find any documentation in the SCA User Guide for 18.10 that actually explains how. Filtering individual issue ids, marking as not an issue, or suppressing them aren't really and option due to the size of the codebase.

Replacing our filter code with ESAPI.encoder().encodeForHtml() which has nearly matching output to our method (ours is a little more aggressive) makes fortify happy, but I'd really rather avoid the overhead and extra dependencies of the ESAPI module.

1 Reply
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: SCA - Custom Cross Site Scripting Encoder Recognition?

Hi Mark

This would require a custom rule which marks all data going through that function as validated for XSS according to your description.

You should check out the custom rules guide for this



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.