In some Security analysis Engine (as my case) the analysis application flags any areas where the software is writing data out that originates with data from outside (the user for example), which is considered out of the trust boundary.
So, it is not necessarily a false warning but a designed behavior of the analysis application which is probably unable to understand the context of the output (whether it is an html or a byte file).
The best advice I could provide is consulting the application support or the documentation itself, which you can retrieve information of the standards used to flag the insecure areas of the your software.