Is non-executed content still considered XSS?


I’m working through an OWASP Zap report that has flagged several URLs on the domain as being vulnerable to XSS, but the vulnerability is never output in a context that is executable by the browser. For instance, the report is showing

path/contacts.php?search=John%3Balert%281%29 

decoded: path/contacts.php?search=John;alert(1)

as a vulnerable URL.

The application does reflect this particular content in the response to the user:

var search = "John;alert(1)"; 

which I think is what triggers the Alert as an XSS attack in the application.

The XSS here is that an attacker could introduce whatever arbitrary code they wanted to in this context and have it reflected to the user’s browser, but this code is never executed.

Testing the vulnerability manually, the application is converting characters in the attempted attack before outputting in the response (using PHP’s htmlentities function), so something like

?search=John";alert(1); 

gets returned as:

var search = "John";alert(1);"; 

So the question is, does this still qualify as an active XSS vulnerability?

Note: I have noted that there is still opportunity for proper validation of the input parameters, but my concern is the security implications here.