My application has been flagged for a XSS violation. The step to repro is to just to paste the below URL into a browser and an alert with "XSS" will be shown. You can see the injection highlighted in red. How can I guard against this?
https://serverurl/portal/sc/IDACall?isc_rpc=1&isc_v=9.1p_2014-07-13&isc_xhr=1&isc_tnum=13&_transaction=<transaction xmlns%3axsi%3d"http%3a%2f%2fwww.w3.org%2f2000%2f10%2fXMLSchema-instance" xsi%3atype%3d"xsd%3aObject"><transactionNum xsi%3atype%3d"xsd%3along">13<%2ftransactionNum><operations xsi%3atype%3d"xsd%3aList"><elem xsi%3atype%3d"xsd%3aObject"><criteria xsi%3atype%3d"xsd%3aObject"><%2fcriteria><operationConfig xsi%3atype%3d"xsd%3aObject"><dataSource>sitesModule<%2fdataSource><operationType>fetch<%2foperationType><textMatchStyle>startsWith<%2ftextMatchStyle><%2foperationConfig><startRow xsi%3atype%3d"xsd%3along">0<%2fstartRow><endRow xsi%3atype%3d"xsd%3along">75b9dp7%26lt%3bimg src%3da onerror%3dalert('XSS')>zei05<%2fendRow><componentId>isc_PickListMenu_0<%2fcomponentId><appID>builtinApplication<%2fappID><operation>sitesModule_fetch<%2foperation><oldValues xsi%3atype%3d"xsd%3aObject"><%2foldValues><%2felem><%2foperations><%2ftransaction>&protocolVersion=1.0
https://serverurl/portal/sc/IDACall?isc_rpc=1&isc_v=9.1p_2014-07-13&isc_xhr=1&isc_tnum=13&_transaction=<transaction xmlns%3axsi%3d"http%3a%2f%2fwww.w3.org%2f2000%2f10%2fXMLSchema-instance" xsi%3atype%3d"xsd%3aObject"><transactionNum xsi%3atype%3d"xsd%3along">13<%2ftransactionNum><operations xsi%3atype%3d"xsd%3aList"><elem xsi%3atype%3d"xsd%3aObject"><criteria xsi%3atype%3d"xsd%3aObject"><%2fcriteria><operationConfig xsi%3atype%3d"xsd%3aObject"><dataSource>sitesModule<%2fdataSource><operationType>fetch<%2foperationType><textMatchStyle>startsWith<%2ftextMatchStyle><%2foperationConfig><startRow xsi%3atype%3d"xsd%3along">0<%2fstartRow><endRow xsi%3atype%3d"xsd%3along">75b9dp7%26lt%3bimg src%3da onerror%3dalert('XSS')>zei05<%2fendRow><componentId>isc_PickListMenu_0<%2fcomponentId><appID>builtinApplication<%2fappID><operation>sitesModule_fetch<%2foperation><oldValues xsi%3atype%3d"xsd%3aObject"><%2foldValues><%2felem><%2foperations><%2ftransaction>&protocolVersion=1.0
Comment