How to prevent Put API in your controller from XSS attacks reflected in CheckMarx scans?

Question

I ran a CheckMarx Scan on my repository and it gave quite many potential Reflected XSS attack results. Here is the code for my controller :

@PutMapping("/calculate")
    public UpdatedResponse calculateModel(
            @RequestBody ModelDocument modelDocument, @RequestParam String clientFirstName,
            @PathVariable String clientId, @PathVariable String clientLastName
 ) {

        // Sanitize the parameters

        modelDocument = checkForCSS(modelDocument); // NOT ACCEPTING THIS
        clientId = StringEscapeUtils.escapeHtml4(clientId);
        clientFirstName = StringEscapeUtils.escapeHtml4(clientFirstName);
        clientLastName = StringEscapeUtils.escapeHtml4(clientLastName);
.....
}

While I was able to resolve the warnings for clientId, clientFirstName and clientLastName since they were all string variables. But how do I do it for modelDocument since it is a user defined variable in itself and further has various strings, maps etc. defined inside of it.

The method checkForCSS is defined as below but is not being recognized by the scan:

public static <T> T checkForCSS(T t) {
        Gson gson = new GsonBuilder().serializeSpecialFloatingPointValues().create();
        String agendaModelStr = sanitize(gson.toJson(t));
        return gson.fromJson(agendaModelStr, (Type) t.getClass());
    }

public static String sanitize(String string) {
        return Jsoup.clean(string, "", Whitelist.none(), new Document.OutputSettings().prettyPrint(false));

Any help would be appreciated. Thanks!

Answer 1

try this:

ESAPI.encoder().encodeForHTML(clientFirstName);

and do it for all your query params.