Checkmarx is giving XSS vulnerability for following method in my Controller class. Specifically: This element’s value (MultiValueMap<String, String> headers) then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method:

 @PutMapping(value = "<URL>{listId}/some/{itemId}", consumes = {APPLICATION_JSON_VALUE})
    public ResponseEntity<String> deleteBlacklistItem(@PathVariable("itemId") String itemId,
                                                      @PathVariable("listId") String listId,
                                                      @RequestHeader MultiValueMap<String, String> headers) {
                                <calling service >                    

    }

I tried; I created one customized filter. as below in the security configuration class.

public FilterRegistrationBean xssPreventFilter() {
    FilterRegistrationBean registrationBean = new FilterRegistrationBean();
    registrationBean.setFilter(new XSSFilter());
    registrationBean.addUrlPatterns("/*");
    return registrationBean;
}

and

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .headers()
                .xssProtection()
                .and()
                .contentSecurityPolicy("script-src 'self'")
                .and()
                .frameOptions()
                .deny()
                .and().authorizeRequests().antMatchers("/").permitAll()
                .antMatchers("/abc/api/*").permitAll();
    }

But above solution is not working can some one help me? Not sure, how we can sanitized or validated Multivaluemap.

Also I implement one coutomized solution as below. But my lead said like they want some solution should be there at spring security level

public static MultiValueMap<String, String> sanitizeObject(Object object) throws JSONException, IOException {
        Gson gson = new Gson();
        String json = Jsoup.clean(StringEscapeUtils.escapeHtml4(gson.toJson(object)), Whitelist.basic());
        JSONObject jsonObject = new JSONObject(json);

        Iterator<String> nameItr = jsonObject.keys();
        Map<String, String> outMap = new HashMap<String, String>();
        while(nameItr.hasNext()) {
            String name = nameItr.next();
            outMap.put(name, jsonObject.getString(name));

        }
        MultiValueMap<String, String> multiValueMap = new LinkedMultiValueMap<String, String>(
                outMap.entrySet().stream().collect(
                        Collectors.toMap(Map.Entry::getKey, e -> Arrays.asList(e.getValue()))));
        System.out.println(multiValueMap);
        return multiValueMap;
    }

//Controller

@GetMapping(value = "/<API URL>/filter", consumes = {APPLICATION_JSON_VALUE})
        public ResponseEntity<String> deletelistItem(@RequestHeader MultiValueMap<String, String> headers,
                                                  @RequestParam Map<String, String> request) throws JSONException, IOException {
           ResponseEntity response = service.getDeleteId(headers, request);
            return response;
        }

//Service Class

public ResponseEntity getDeleteId(MultiValueMap<String, String> headers, Map<String, String> request) {
            response = clousservice.getDeleteListId(request.get(QUERY_KEY_VALUE), headers);
        }

//Cloud Service

@Override
    public ResponseEntity<String> getDeleteId(String id, MultiValueMap<String, String> headers) {
            ResponseEntity<String> response = restTemplate.exchange(deleteUrl, GET, entity, String.class);
            log.info("Http Response ", response.getStatusCode());
            return response;
        } catch (HttpClientErrorException | HttpServerErrorException e) {
            throw new CustomizeException(e.getResponseBodyAsString(), e, e.getStatusCode());
        } catch (Exception e) {
            throw new CustomizeException("Unable Delete", e, BAD_GATEWAY);
        }
    }