Fortify User Discussions
cancel

SCA - Custom Cross Site Scripting Encoder Recognition?

Highlighted
MarkA
New Member.

SCA - Custom Cross Site Scripting Encoder Recognition?

We have a custom static java method that handles stripping and converting characters per the OWASP XSS Prevention Cheat Sheet. Unfortunately SCA doesn't recognize strings passed through this function as having been validated. 

We'd like to resolve this, but I can't seem to find any documentation in the SCA User Guide for 18.10 that actually explains how. Filtering individual issue ids, marking as not an issue, or suppressing them aren't really and option due to the size of the codebase.

Replacing our filter code with ESAPI.encoder().encodeForHtml() which has nearly matching output to our method (ours is a little more aggressive) makes fortify happy, but I'd really rather avoid the overhead and extra dependencies of the ESAPI module.

1 REPLY
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: SCA - Custom Cross Site Scripting Encoder Recognition?

Hi Mark

This would require a custom rule which marks all data going through that function as validated for XSS according to your description.

You should check out the custom rules guide for this

Thanks

Lucas

Top Contributors Last 30 Days