XSS

Spring Boot, Checkmarx and Stored XSS: how to solve HIGH notifications?

There is an application with a bunch of Spring Boot, Spring Data. I analyzed the code with Checkmarx. Received a HIGH warning that the code is susceptible to a Stored XSS attack. I analyzed the recommendation from the site https://www.checkmarx.com/blog/3-ways-prevent-xss/ , as well as stackoverflow and other well-known sources, it turned out that it was necessary to get rid of html tags. I used HtmlUtils.htmlEscape and StringEscapeUtils.escapeHtml4, but I never got rid of the error. The error is related to the fact that a possible request with an xss attack could be saved in the database, and when retrieved, "inconsistent" data will be sent to the UI. This is not exactly my code, but something like this:

Set<User> users = repo.getUsers();
Checkmarx swears at the getUsers method. Tried to prevent this problem by:

• Specifying a custom serializer for String DTO fields
  
• Used the above methods (HtmlUtils.htmlEscape and StringEscapeUtils.escapeHtml4) when mapping entity -> dto.
  

But there was no effect from this.

On the Checkmarx Dashboard in the report, there is a Best Fix Locations (BFL) column. This column contains either an object or a method. Tried to edit just like that, zero response.

At the same time, when I had Reflected XSS vulnerabilities with RequestParam, I managed to overcome it only with the help of HtmlUtils.htmlEscape. The strange thing is that when I implemented a Spring Security Filter that intercepted the request and prevented the XSS attack, Checkmarx kept complaining and didn't consider it a solution. Although I believe that the custom filter option is a better solution than checking each RequestParam in each endpoint.

Perhaps someone has already encountered a similar issue, or will push on the right solution.