So, let met start of by saying that I am not familiar with the tool that is used to detect these issues. However, I am familiar with other automated scanning tools, and in my role as architect, it sometimes falls to me to explain why the results of an automated scan are not applicable. In this case, it is pretty clear that this is an automated process as well, and that it produces incorrect results:
In my experience, these kind of attacks are not applicable to a Mendix application: the platform ensures that this does not happen. What I usually do is engage in a conversation with the people performing the scans, ask them why they think there is a problem, and show them (somehow) that even though a certain request can be sent, it is handled differently than the scanning tool expects.
Do note though that “rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf “ may actually indicate an issue: out of the box, Mendix prevents XSS attacks, but custom widgets require developer attention to prevent XSS attacks. I would consider it worthwhile to investigate this issue, to ensure that XSS attacks are not actually possible.