Cross Site Scripting (XSS) issues when using URL Queries that are shown in the address field
I have a client that is getting flagged as having XSS vulnerabilities on their site.
For instance we have a generic page that uses the URL string as a value in the page. These are Cities and allow a number of pages to have some SEO benefit without having to write Content for each city.
Example:
https://www.savonhomes.com/cities.php?id=Riverside
But this string will also allow html tags such as :
https://www.savonhomes.com/cities.php?id=<h1>Riverside</h1>
This show that "tags" can be used in the page and is being flagged as an XSS vulnerability.
Personally I don't see how this could be a problem other than our client getting notices from companies that want to solve this condition.
Should I sanitize the URL parameter input prior to using in the page or is it best practice to disallow the page to render IF a certain characters are present (<> etc)?
Views?