Fortify User Discussions

SCA - Custom Cross Site Scripting Encoder Recognition?

New Member.

SCA - Custom Cross Site Scripting Encoder Recognition?

We have a custom static java method that handles stripping and converting characters per the OWASP XSS Prevention Cheat Sheet. Unfortunately SCA doesn't recognize strings passed through this function as having been validated. 

We'd like to resolve this, but I can't seem to find any documentation in the SCA User Guide for 18.10 that actually explains how. Filtering individual issue ids, marking as not an issue, or suppressing them aren't really and option due to the size of the codebase.

Replacing our filter code with ESAPI.encoder().encodeForHtml() which has nearly matching output to our method (ours is a little more aggressive) makes fortify happy, but I'd really rather avoid the overhead and extra dependencies of the ESAPI module.

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: SCA - Custom Cross Site Scripting Encoder Recognition?

Hi Mark

This would require a custom rule which marks all data going through that function as validated for XSS according to your description.

You should check out the custom rules guide for this



Top Contributors Last 30 Days