How to avoid apps from XSS attacks?

Question

How to safe guard our web applications from XSS attacks? One app is vulnearable to attack, if it does not do any conversion of a special charecters.

Answer 1

HTML escaping inputs works very well. But in some cases business rules might require you NOT to escape the HTML. Using REGEX is not fit for the task and it is too hard to come up with a good solution using it.

The best solution I found was to use: http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

It builds a DOM tree with the provided input and filters any element not previosly allowed by a Whitelist. The API also has other functions for cleaning up html.