Created a XSS Filter using ESAPI Refer (https://dzone.com/articles/stronger-anti-cross-site) and defined it in web.xml.Scanned the ear file using Veracode. Veracode is still flagging the same issues as XSS issues. Does Veracode do not take using Servlet filter as a resolution for resolving XSS issues in code.
Don't use that filter. The author is way too optimistic about what it can do. There are many ways to exploit XSS. Look at XSS Filter Evasion Cheat Sheet for some examples. Take one at random for example: <IMG SRC=# onmouseover="alert('xxs')"> and run it through the filter. It's passed straight through.
The way they've done the replacements can leave the inputs in a worse state that it started. By removing script tags from <<script>script>alert('xss')</<script>script>, you're left with <script>alert('xss')</script>
Even with adding more patterns, the blacklist approach is wrong because it can't cover all the possibilities and can corrupt valid data. To prevent the XSS issues, you should make sure any data added to the page is HTML encoded. See: XSS prevention is JSP/Servlet.