I am not a specialist on this, but your code look complicated and overkill.
drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
As I understand it:
System.Configuration.ConfigurationManager.AppSettings("Drive")
is a string, than you convert to string:
System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()
Then you format it as an identical string:
String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString())
Your code should simplify as:
drive = AntiXssEncoder.XmlEncode(System.Configuration.ConfigurationManager.AppSettings("Drive"))
and same for
folder
and
file
.
I am not even sure you need to encode the string.
For your vulnerability, read carefully the message !
It is a vulnerability if it is a
user input, which is not your case.