ScanAlert Cross site scripting XSS - Alleged Level 2 (of 5)

[kenlyle]

ScanAlert says that the OSCMax RC2 with 051112 patch, index.php may be vulnerable to XSS.

Here is an excerpt:

"The remote web application appears to be vulnerable to cross site scripting (XSS).

{snip}
The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.
"

"General Solution
Ensure you turn the > and < into their HTML equivalents before sending it back to the browser.

Ensure that parameters and user input are stripped of HTML tags before using.

# Remove <: input = replace( input, "<", "" )
# Remove >: input = replace( input, ">", "" )
# Remove ' : input = replace( input, "'", "" )
Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to their encoded equivalents.
"

Is there any validity to this?

What, if anything, should I do to fix it?

Thanks,
Ken