Fortify User Discussions
cancel

SCA - Custom Cross Site Scripting Encoder Recognition?

Highlighted
MarkA
New Member.

SCA - Custom Cross Site Scripting Encoder Recognition?

We have a custom static java method that handles stripping and converting characters per the OWASP XSS Prevention Cheat Sheet. Unfortunately SCA doesn't recognize strings passed through this function as having been validated. 

We'd like to resolve this, but I can't seem to find any documentation in the SCA User Guide for 18.10 that actually explains how. Filtering individual issue ids, marking as not an issue, or suppressing them aren't really and option due to the size of the codebase.

Replacing our filter code with ESAPI.encoder().encodeForHtml() which has nearly matching output to our method (ours is a little more aggressive) makes fortify happy, but I'd really rather avoid the overhead and extra dependencies of the ESAPI module.

Top Contributors Last 30 Days