Cross Site Scripting (XSS) issues when using URL Queries that are shown in the address field
I have a client that is getting flagged as having XSS vulnerabilities on their site.
For instance we have a generic page that uses the URL string as a value in the page. These are Cities and allow a number of pages to have some SEO benefit without having to write Content for each city.
But this string will also allow html tags such as :
This show that "tags" can be used in the page and is being flagged as an XSS vulnerability.
Personally I don't see how this could be a problem other than our client getting notices from companies that want to solve this condition.
Should I sanitize the URL parameter input prior to using in the page or is it best practice to disallow the page to render IF a certain characters are present (<> etc)?