spring在Java（基本XSS）中对脚本相关HTML标记的错误中和

我正在使用Veracode来验证我的代码，在下面的方法中的“return collectionService.getAllNotificationDrop（）”行中出现错误“CWE–80：网页中与脚本相关的HTML标记的不正确中和（基本XSS）”

@RequestMapping(value = "loadAllNotification", method = RequestMethod.GET)
    public @ResponseBody List<UserVO> loadAllNotification() {
        try {
            **return collectionService.getAllNotificationDrop();**
        } catch (Exception e) {
            LOGGER.debug(e);
             return null;
        }

    }




public List<UserVO> getAllNotificationDrop() throws Exception {
        LOGGER.info("Entered new method ====> getAllNotificationDrop() ");
        List<UserVO> users;
        Session session = em.unwrap(Session.class);
        try {
            users = session.createSQLQuery("SELECT login_id as userId,first_name||' '||last_name as firstName "
                    + " FROM user_master")
                    .addScalar("userId", StandardBasicTypes.STRING)
                    .addScalar("firstName", StandardBasicTypes.STRING)
                    .setResultTransformer(Transformers.aliasToBean(UserVO.class))
                    .list();
        } catch (Exception e) {
            throw new Exception("Error in getAllNotificationDrop",e);
        } finally {
            session.clear();
        }
        LOGGER.info("Method End ====> getAllNotificationDrop() ");
        return users;
    }

请帮助解决这个问题，过去几天没有线索