2
I am working with a software that goes through a "Security Application" that indicates the lines of code that are potentially insecure (theoretically).
Based on the code below, the application signals the line of the outputStream.write() accusing of Improper Neutralization of Script-Related HTML Tags in a Web Page (Improper neutralization of code related to html tags on a web page)
response.addHeader("Content-Disposition","attachment; filename=" + Util.NeutralizeFileName(filename));
byte[] bytes = obj_Data.getBytes("File");
ServletOutputStream ouputStream = response.getOutputStream();
ouputStream.write(bytes, 0, bytes.length);
ouputStream.flush();
ouputStream.close();
I’m not actually writing a html but rather a downloadable file. What’s more, all "unreliable" data coming from the user is being validated and neutralised before being converted to the byte array.
So my question is, is this some kind of false Warning (False alert)? If not, what can I do to produce a appropriate validation?
Your answer was quite helpful, especially the part where you say
consulte o manual ou suporte da ferramenta em questão. The problem is that the tool does not understand the context in which the software is writing (i.e., it does not distinguish whether it is an HTML or a downloadable file). So it is not necessarily a false Warning but rather a purposeful behavior of the application of analysis.– Caio Oliveira