We have several applications that contain XSS (Cross Site Scripting) vulnerabilities and are looking for solutions to eliminate these issue. The response we received from IBM is as follows.
"Add input verification on the field that is computed to @URlQueryString(“count”). Input validation can be added to make sure that the content grabbed from the URIString is an integer as oppose to printing the content back out exact as is with our checking it’s values. "
Basically we have been advised that any field that is set inside pass-thru html needs to be removed from PTH and validation code needs to be written to scrub the URL containing “@URLQueryString” to ensure there are no characters that are unwanted or passing to the page/form being rendered to the screen.
If anyone out here has a better suggestion or can provide information on how they worked around XSS in their environment, please let me know. I can be reached directly at colaw@deloitte.com
Thanks in advance for any feedback.