We’re working with:
- Developer Edition - Version 9.1 (build 47736)
- We want to fix warning about “Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks” on paramters which are already sanitized
- We’re using a library mandated by Cybersecurity in order to Sanitize the input and SonarQube does not seem to recognize it and marks all the user input as tainted
here’s the method:
public static String sanifyUserInput(String i) throws ServletException {
if (containsIllegalSequences(i))
throw new ServletException("Input contains illegal sequences, refusing");
return i;
}
All user input is passed thru that method so we need some way to mark the output of the method as “sanitized” in order to avail being flooded with false-positive “javasecurity:S5131” errors
Is there any annotation to do so? Is this a false-positive?
We’re experiencing the very same issues with log-tainting warnings.