I'm working with software that passes through a "Security Application" that indicates lines of code that are potentially unsafe (theoretically).
Based on the code below, the application signals the outputStream.write()
line accusing of Improper Neutralization of Script-Related HTML Tags in the Web Page (Improper Neutralization of code related to html tags on a web page)
response.addHeader("Content-Disposition","attachment; filename=" + Util.NeutralizeFileName(filename));
byte[] bytes = obj_Data.getBytes("File");
ServletOutputStream ouputStream = response.getOutputStream();
ouputStream.write(bytes, 0, bytes.length);
ouputStream.flush();
ouputStream.close();
I'm not actually writing a html but rather a downloadable file . In addition, all "untrusted" data from the user is being validated and neutralized before being converted to the byte array.
So, my question is: Is this some kind of false warning ? If not, what can I do to produce an appropriate validation ?