I've just started using N-Stalker and Acunetix Web Vulnerability Scanner -- both free editions. I've found that using the WA DataAssist Insert, I'm getting the below, however, from what I'm reading on deciphering this and their recommendations, the WA code has the necessary post restrictions, including the real escape string & mysql escape string. I don't know how to make my user input safe...
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
URL encoded POST input rfpHOpages was set to " onmouseover=prompt(929000) bad="
The input is reflected inside a tag element between double quotes.
URL encoded POST input rfpAVReq was set to 1</textarea>1<ScRiPt >prompt(959056)</ScRiPt>
The input is reflected inside <textarea> tag.