lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb in contrast-agent-4.13.1 vs lib/contrast/agent/assess/policy/trigger_validation/xss_validator.rb in contrast-agent-4.14.0

@@ -16,10 +16,10 @@
             # A finding is valid for XSS if the response type is not one of
             # those assumed to be safe
             # https://bitbucket.org/contrastsecurity/assess-specifications/src/master/rules/dataflow/reflected_xss.md
             def self.valid? _patcher, _object, _ret, _args
               content_type = Contrast::Agent::REQUEST_TRACKER.current&.response&.content_type
-              return true unless content_type
+              return false unless content_type
 
               content_type = content_type.downcase
               SAFE_CONTENT_TYPES.none? { |safe_type| content_type.index(safe_type) }
             end
           end