Is there any alternative way to prevent XSS attack than OWASP XSS filter software? I need suggestion if it is possible to prevent at apache level. I am not security expert so need detailed information. Thanks for your help
XSS issues occur in presentation layer when the data is displayed to the end user. So preventing this at apache level is not a valid approach.
OWASP ESAPI is a library (not a filter software) that provides XSS protection as an API to encode data in presentation layer. Whenever something that is affected from user input is to be displayed, proper encoding should be applied. For example, OWASP XSS prevention Cheat Sheet have the following example for Javascript context:
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
and this one for "HTML attribute" context:
String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );
Proper encoding varies depending on current context (html, html attribute, javascript etc..)
If you prefer not to use OWASP library, you can do encoding by using other libraries like apache.commons.StringEscapeUtils. But you need to be very careful in choosing the correct method for your context.