outputStream writing a byteArray - XSS validation

2

I'm working with software that passes through a "Security Application" that indicates lines of code that are potentially unsafe (theoretically).

Based on the code below, the application signals the outputStream.write() line accusing of Improper Neutralization of Script-Related HTML Tags in the Web Page (Improper Neutralization of code related to html tags on a web page)

response.addHeader("Content-Disposition","attachment; filename=" + Util.NeutralizeFileName(filename));
byte[] bytes = obj_Data.getBytes("File");
ServletOutputStream ouputStream = response.getOutputStream();
ouputStream.write(bytes, 0, bytes.length);
ouputStream.flush();
ouputStream.close();

I'm not actually writing a html but rather a downloadable file . In addition, all "untrusted" data from the user is being validated and neutralized before being converted to the byte array.

So, my question is: Is this some kind of false warning ? If not, what can I do to produce an appropriate validation ?

    
asked by anonymous 24.04.2014 / 19:36

1 answer

2

Without knowing the criteria used by the tool, it is difficult to speculate.

However, the code above can lead to security problems because the uploaded file could in theory be malicious content, from HTML to a virus-executable that would be downloaded by a user.

I do not know how smart the tool is, but maybe warning will not be inhibited if the Content-type , Content-transfer-encoding , and Content-length headers are properly set to represent the binary file. p>

The problem is that without the headers, the browser would have to "guess" what kind of file and this can be cause for alert.

However, in the final analysis, consult the manual or support for the tool in question.

    
24.04.2014 / 20:09