Question posted in 
I am uploading a file to server using FtpWebRequest. Bu it causes critical Cross-site scripting (XSS) vulnerability. This file contents is import and I need to upload as is. How could I fix this issue?
The method sends unvalidated data to a web browser on line 1274, which can
result in the browser executing malicious code.
StringBuilder sb = new StringBuilder();
sb.AppendLine(...);
.
.
.
byte[] data = Encoding.Default.GetBytes(sb.ToString());
FtpWebRequest requestUpload = (FtpWebRequest)WebRequest.Create(ftpPath);
requestUpload.Proxy = new WebProxy();
requestUpload.KeepAlive = false;
requestUpload.EnableSsl = true;
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
requestUpload.Credentials = new NetworkCredential(ftpUser, ftpPassword);
requestUpload.Method = WebRequestMethods.Ftp.UploadFile;
using (Stream requestStream = requestUpload.GetRequestStream())
{
requestStream.Write(data, 0, data.Length);
}
FtpWebResponse response = (FtpWebResponse)requestUpload.GetResponse();
2
Answers
You need to validate your file and place appropriate restrictions on it. The two most appropriate restrictions are size and type.
You should limit the size to something that is appropriate for your scenario i.e. the max file size you would someone should need to upload.
You should limit the file type to a selection of types that do not include executable files e.g. CSV, PDF.
You can use custom validation attributes to handle the validation.
That code line does not send any data to a web browser.
To me it seems like a false warning.