Done everything I could with the code to fix it but Veracode still gives error for the following code:
Byte bytes = (Byte)dt.Rows[i]["Content"];
Response.Buffer = true;
Response.ContentType = StringEncode(HttpUtility.HtmlEncode(dt.Rows[i]["Extension"].ToString()));
Response.AddHeader("content-disposition", "attachment;filename=" + StringEncode(HttpUtility.HtmlEncode(dt.Rows["FileName"].ToString())));
I think you can safely mark this as a false positive when your users are using modern browsers.
Setting content disposition to download the response as an attachment should prevent any scripting from being executed in the browser. It appears that Veracode has not picked up the fact that you are doing this.
Note that old browsers like IE 6/7 will ignore the the content-disposition header if they already have the response cached. You could possibly detect the cases when these browsers are used and prevent the content from loading in these browsers.