After scanning and generating report from zap, it reported
a reflected xss on sord, sidx, _search and nd.
But i think i don't have to sanitize it. Or do I have to?
I'm doing my sanitation part on the server side.
Can I ask for enlightenment as to what's the reason why it was reported? Any help is greatly appreciated.
ZAP detects XSSs by injecting a 'safe' value into all fields and then sends specially crafted attacks that try to break out of the contexts the safe values are reflected in so that javascript attacks can be executed. It will have taken account of server side sanitation, but false positives are always a possibility.
ZAP will report the 'evidence' that it used to determine that an XSS vulnerability is present. Can you post that as well as the surrounding HTML?
If you're sure they are false positives then please report them via ZAP Issues: https://github.com/zaproxy/zaproxy/issues
Cheers, Simon (ZAP Project Lead)