The original issue is here: http://stackoverflow.com/questions/29223275/owasp-zap-reported-alert1-xss-vulnerability-but-no-popup-showed-up
Our developer fixed the issue by using HttpUtility.JavaScriptStringEncode to encode strings in javascript. After we used OWASP ZAP to fuzz the parameter, we still got several (Reflected) yellow balls in the result list. Clicked the item in yellow ball, the highlight in response was, for example:
DataSet.FilterBuilder.QueryValuesDictionary['57_ctl00'] = "alert(1)";
As you can see, attacked code is just a simple string and not be executed. Could we say we are safe now and this is just a false positive?
The ZAP Fuzzer does not detect vulnerabilities - its a manual tool to help you find vulnerabilities. The "Reflected" indication is just that - an indication that the payload submitted is reflected in the response. If the payload was "A" and there was an "A" in the response then you'd get that indication. You need to look at the context of the reflected payload to determine whether theres a vulnerability there.
Simon (ZAP Project Lead)