Everything will depend on what type of XSS you intend to solve. There are two kinds:
XSSPersistente (StoredXSS): occurs in those parts where a user enters data that can be cited by other users. That is, when a database or text file is used, when information is stored. Examples of this are forum posts, comments on wikis, blogs, etc. Here what you should do is check that data insertion for disallowed words and characters in order to avoid the XSS attack.
Reflected XSS(ReflectedXSS): occurs when the scripts are included in the parameters of a web request. For example, when a user passes a link to your website to another, but that link contains a script, or a user enters a script in one of these parameters. In this case you have to check the addresses and parameters you receive in order to avoid the attack. This is not the same as phishing, do not confuse it.
The way to protect the site against XSS is by filtering the input data that the user enters, verifying that they do not carry unwanted tags. for this, it is best to make a white list (a list of allowed things that the user can enter) instead of a black list (things not allowed). In this case, if you use white lists, if you forget something, the user will simply not be able to enter it, otherwise, you may forget a tag and the page is vulnerable.
Another way to protect yourself would be using Apache's mod_security , you would have to install it and configure it to filter all those requests, but it is recommended to do it the first way to be able to control your entire flow in a better way by code. This would work for any programming language.
what you should do is control what users enter in the inputs of your website. To clean all the possible XSS attacks in php there is a very good library, I leave you its link so you can take a look at it:
Everything will depend on what type of XSS you intend to solve. There are two kinds:
XSSPersistente (StoredXSS): occurs in those parts where a user enters data that can be cited by other users. That is, when a database or text file is used, when information is stored. Examples of this are forum posts, comments on wikis, blogs, etc. Here what you should do is check that data insertion for disallowed words and characters in order to avoid the XSS attack.
Reflected XSS(ReflectedXSS): occurs when the scripts are included in the parameters of a web request. For example, when a user passes a link to your website to another, but that link contains a script, or a user enters a script in one of these parameters. In this case you have to check the addresses and parameters you receive in order to avoid the attack. This is not the same as phishing, do not confuse it.
The way to protect the site against XSS is by filtering the input data that the user enters, verifying that they do not carry unwanted tags. for this, it is best to make a white list (a list of allowed things that the user can enter) instead of a black list (things not allowed). In this case, if you use white lists, if you forget something, the user will simply not be able to enter it, otherwise, you may forget a tag and the page is vulnerable.
Another way to protect yourself would be using Apache's mod_security , you would have to install it and configure it to filter all those requests, but it is recommended to do it the first way to be able to control your entire flow in a better way by code. This would work for any programming language.
For PHP you would have to use the validation filters in PHP . You also have this Google library .
Here you have more information about data validation , the AntiSamy project and JSP .
what you should do is control what users enter in the inputs of your website. To clean all the possible XSS attacks in php there is a very good library, I leave you its link so you can take a look at it:
http://htmlpurifier.org/