outputStream writing a byteArray - XSS validation

Question

outputStream writing a byteArray - XSS validation

Asked 10 years, 7 months ago

Viewed 85 times

2

I am working with a software that goes through a "Security Application" that indicates the lines of code that are potentially insecure (theoretically).

Based on the code below, the application signals the line of the outputStream.write() accusing of Improper Neutralization of Script-Related HTML Tags in a Web Page (Improper neutralization of code related to html tags on a web page)

response.addHeader("Content-Disposition","attachment; filename=" + Util.NeutralizeFileName(filename));
byte[] bytes = obj_Data.getBytes("File");
ServletOutputStream ouputStream = response.getOutputStream();
ouputStream.write(bytes, 0, bytes.length);
ouputStream.flush();
ouputStream.close();

I’m not actually writing a html but rather a downloadable file. What’s more, all "unreliable" data coming from the user is being validated and neutralised before being converted to the byte array.

So my question is, is this some kind of false Warning (False alert)? If not, what can I do to produce a appropriate validation?

1 answer

Browser other questions tagged java java-ee xss

You are not signed in. Login or sign up in order to post.

by utluiz • **72,075** points · Answer 1 · 2014-04-24T18:09:51+00:00

Not knowing the criterion used by the tool is tricky to speculate.

However, the above code may cause security problems because the file submitted via download could, in theory, have malicious content, from HTML to a virus executable that would be downloaded by a user.

I don’t know what the intelligence of the tool is, but maybe the warning is not inhibited if the headers Content-type, Content-transfer-encoding and Content-length are appropriately defined to represent the binary file.

The problem is that without the headers, the browser would have to "guess" which file type and this might be cause for alert.

However, ultimately, refer to the manual or support of the tool in question.