outputStream writing a byteArray - XSS prevention

Question

I am working with a software which pass through an Application Security which indicates the line codes that are "probably insecure".

Given the following code the Application is signing the outputStream.write() line accusing of Improper Neutralization of Script-Related HTML Tags in a Web Page

response.addHeader("Content-Disposition","attachment; filename=" + Util.NeutralizeFileName(filename));
byte[] bytes = obj_Data.getBytes("File");
ServletOutputStream ouputStream = response.getOutputStream();
ouputStream.write(bytes, 0, bytes.length);
ouputStream.flush();
ouputStream.close();

Actually, I am not writing an html page but a file download. And all the data before convert it to bytes are being validated and neutralized.

So, my question is: Is this a false warning? If not, what can I do to make the properly validation?

Answer 1

In some Security analysis Engine (as my case) the analysis application flags any areas where the software is writing data out that originates with data from outside (the user for example), which is considered out of the trust boundary.

So, it is not necessarily a false warning but a designed behavior of the analysis application which is probably unable to understand the context of the output (whether it is an html or a byte file).

The best advice I could provide is consulting the application support or the documentation itself, which you can retrieve information of the standards used to flag the insecure areas of the your software.

Answer 2

The user could still choose to open the file in browser. For instance in IE the user often gets a dialog where he/she can choose between cancel, save and open, where open will open in current tab. You can disable open by using a header though. Whether this is vulnerable to xss also depends on the content-type. Is it HTML?