After running OWASP ZAP scanning tool against our application, we see a number of XSS vulnerabilities when the tool attacked with this string:
" onMouseOver="alert(1);
or
;alert(1)
So such strings will appear in the server response. Though it doesn't do anything in the browser. Maybe it's trying to insert additional attributes to Html tags, but how to solve the problem?
If you can post the html surrounding the injected attack then that might be enough. If you select the alert in ZAP then the attack will be highlighted in the Response tab. Note that we have just released updated active scan rules which fix a false positive in the reflected XSS scan rule, so make sure you update the rules and then scan again.