Fortify "Cross-Site Scripting: Poor Validation" is complaining that your OUTPUT encoding is either improper or not effective. The purpose of the output encoding (escaping) is to confine the special characters (meta char) as literal string, so they cannot be executed as a command.

Fortify“跨站点脚本：验证不佳”抱怨您的 OUTPUT 编码不正确或无效。输出编码（转义）的目的是将特殊字符（元字符）限制为文字字符串，因此它们不能作为命令执行。

To remediate, you do:

要进行修复，请执行以下操作：

Step#1.Determine who is going to consume this "to be encoded context"?

步骤1。确定谁将使用这个“待编码上下文”？

Step#2.Properly Encode the context based on the delivery protocol and the down stream needs. For example:

第2步。根据交付协议和下游需求正确编码上下文。例如：

• If data being consumed at the [?query] part of the URL, you need to find a function to wrap (aka encode, escape) 18 reserved characters (! * ' () ; : @ & = + $ , / ? #[]) that have special meaning to the HTTP protocol (not necessary encode the entire URL). (read RFC3986 Sec 2.2for details)
• IF data being consumed as an XML Entity, you need to encode 5 meta characters (& < > " ') (check W3C XML Spec Sec 2.4). But, this is not always true. Data used as comment, the processing instructions, or in CDATA section don't need to be encoded.

• 如果在 URL 的 [?query] 部分使用数据，则需要找到一个函数来包装（又名编码、转义）18 个保留字符 (! * ' () ; : @ & = + $ , / ? #[ ]) 对 HTTP 协议有特殊意义（不需要对整个 URL 进行编码）。（阅读RFC3986 Sec 2.2了解详细信息）
• 如果数据被用作 XML 实体，则需要编码 5 个元字符 (& < > " ')（检查W3C XML Spec Sec 2.4）。但是，这并不总是正确的。用作注释、处理指令或在 CDATA 部分不需要编码。

Step#3.Collect encoding examples for future pick and use:(sorry, when post as code, some contents changed, so post as image)

步骤#3。收集编码示例以供将来选择和使用：（对不起，当作为代码发布时，某些内容发生了变化，因此作为图像发布）

need to consider overhead of ESAPI library, is it worth to load 30 MB jar for one fix?

需要考虑 ESAPI 库的开销，是否值得为一次修复加载 30 MB jar？

Output encoding using light weight org.owasp.encoder library

使用轻量级 org.owasp.encoder 库进行输出编码

This happens when you're using encoding to prevent XSS. If you weren't encoding you would get a critical XSS finding. Since you're encoding, it's moved to a medium. To fully prevent XSS, you would want to use the proper encoding given the context and then make sure your inputs are being validated. There are libraries out there that can help, such Apache Struts Validator, but even then Fortify will not be able to accurately determine whether your input validation is sufficient. Static analysis products can't determine the type of data inside a variable, so there's really no good way to check for proper validation. What you want to do is validate the input and once you're certain the finding is satisfied with encoding and input validation, you can suppress the finding.

当您使用编码来防止 XSS 时会发生这种情况。如果你没有编码，你会得到一个关键的 XSS 发现。由于您正在编码，因此已将其移至介质。为了完全防止 XSS，您需要根据上下文使用正确的编码，然后确保您的输入得到验证。有一些库可以提供帮助，例如 Apache Struts Validator，但即便如此，Fortify 也无法准确确定您的输入验证是否足够。静态分析产品无法确定变量内的数据类型，因此确实没有很好的方法来检查是否正确验证。您想要做的是验证输入，一旦您确定结果对编码和输入验证感到满意，您就可以取消该结果。

After you've written the validation methods you can store them in a jar file and then write custom rules for Fortify so that it knows those methods provide XSS validation. This issue would not occur in future scans. Check out Dataflow Cleanse Rules in the Fortify Custom Rules Guide.

编写验证方法后，您可以将它们存储在 jar 文件中，然后为 Fortify 编写自定义规则，以便它知道这些方法提供 XSS 验证。在以后的扫描中不会出现此问题。查看 Fortify 自定义规则指南中的 Dataflow Cleanse 规则。

Fortify understands ESAPI libraries very well so can you please tell me which function of ESAPI lib you are calling at inout and output call ? you can refer https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheetfor various context and validation you have to use for XSS and based on the context you need to use the ESAPI functions.

Fortify 非常了解 ESAPI 库，所以你能告诉我你在 inout 和 output call 调用 ESAPI lib 的哪个函数吗？您可以参考https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet了解您必须用于 XSS 的各种上下文和验证，并根据使用 ESAPI 函数所需的上下文。

In your case you're using simple encoding that is not an accurate solution so though fortify has reduce the severity but still its an issue so please use the correct ESAPI function at source and sink. Fortify should not flag an issue then. And still if you see it then create a custom rule as said in another answer.

在您的情况下，您使用的简单编码不是一个准确的解决方案，因此虽然强化降低了严重性，但仍然是一个问题，因此请在源和接收器使用正确的 ESAPI 函数。Fortify 不应该标记问题。而且如果您看到它，则创建一个自定义规则，如另一个答案中所述。