Please help us help you and fill where relevant:
LimeSurvey version: [see right hand bottom of your LimeSurvey admin screen]
Own server or LimeSurvey Cloud:
Survey theme/template:
==================
Hi.
I am scanning the code with fortify, and it shows me more than 2000 issues, like Cross-Site Scripting, Dynamic Code Evaluation: Code Injection, Insecure Transport and Path Manipulation. Many of them are false positives, but some when trying to block the vulnerability with functions like htmlspecialchar, some windows do not appear when I am browsing the system. My question is: how can I protect my information or server without editing the code?

Hello Mario,

since LimeSurvey is Open Source its code have been scanned many times over, by humans and machine tools, and is being vetted regularly.

I can tell you for sure that the tool you are using is producing only useless false positives. I would not worry about that.

However, sometimes a new issue is found. But these found in recent times is usually something that would allow a logged-in admin to do something that might trick another admin into doing something they don't want - these issues are usually classified as low risk, because the setup of such a scenario is tricky and usually a long shot for an attacker.

There are hundreds of thousands LimeSurvey installations out there, besides the ones we host - if there was any medium or high serious issue we would know quickly.

So if you don't allow unknown people into your installation as administrators and update regularly I think there is a close to zero risk anything bad will happen.

I would say it is even as much as important that your webserver is set up properly.
 

Else : github.com/LimeSurvey/LimeSurvey/blob/master/SECURITY.md