In Java, in the line below:
TypedQuery<T> query=entityManger.createQuery(queryString, clazz);
List<T> result =query.getResultList();
It is saying that the variable result needs to be properly filtered or encoded otherwise it may enable a Cross-Site Scripting Attack.
I have already used HtmlUtils.htmlEscape(queryString) String object.
Any help and suggestions would be appreciated. Thanks
Checkmarx will ultimately look at the sink(output). You will have to then perform htmlEscape in each of the resulting item in the List
List<T> newResult = new ArrayList<T>();
for (T temp : result) {
newResult.add(HtmlUtils.htmlEscape((String) temp));
}