Here, things are clear about what Fortify is finding as a vulnerability because it reports that an inputHidden could be vulnerable to XSS. I read another post about JSF mitigating this, and they said there isn't a vulnerability because JSF escapes by default, and maybe I am convinced. But what about inputHidden? The same thing that came to my mind was trying to use fn:escapeXml in addition to #{...} expression, for example, <h:inputHidden value=#{fn:escapeXml(bean.total)} />, but it doesn't work and it seems to be used only in JSP
mitigate XSS on JSF reported by Fortify SAST
This is not the default behavior. Technically speaking, this can only happen if the app has a custom renderer specifically for
<h:inputHidden>which doesn't HTML-escape the output. You'd then need to remove or fix that custom renderer. That's beyond the responsibility of JSF.Or the analysis tool is simply giving a false negative and you can then only mitigate it by replacing the analysis tool. This specific analysis tool is namely known to have spitted false negatives before. One example: Fortify Cross-Site Scripting: Poor Validation JSF.
Consult CVEDetails.com for any officially registered security vulrenabilities in software products. The issue in question is not even listed over there and JSF has been in use across the globe long enough (20+ years) that it should surely have triggered one.