XSS issue with Trustwave PCI compliance

[Marotta1]

Hi everyone. I have an issue with Trustwave PCI compliance. I am failing due to an issue with the advanced search. I have posted it below. Can anyone offer a suggestion or known fix for this?

I assume I could just remove the search option as a really quick fix (which I don't really want to do). I also saw Michael's post about this addon but don't think it addresses this flaw. - osCommerce Community Add-Ons

Cross-Site Scripting (XSS)
Cross-site scripting is a term used to describe problems which arise when
maliciously crafted user data causes a web application to re-direct an unsuspecting
web browser to an undesired site. It was possible to send strings with special HTML
characters ( < > " ' ) to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application, it may be possible
to inject HTML scripting code into the rendered page. The injections can occur in
your HTML body, Title, Scripting, or even commented out portions of the
document.

Note: Due to the potential negative impact on this web server's resources
that could result from attacking a large number of cross-site scripting attack vectors,
TrustKeeper abandons this test after it has found at least three instances where user
input is not being properly sanitized. Therefore, it is possible that the reported
findings associated with this vulnerability are only a subset of all possible attack
vectors.

All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
CVSSv2: AV:N/AC:M/Au:N/C:N/I:P/A:N (4.3)
Reference: CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests, OWASP
index.php/Cross-site_scripting, Data Validation - OWASP,
Reviewing Code for Cross-site scripting - OWASP

Service: Apache
Evidence:
Virtual Host: My Store
Date: 2010-08-09 15:43:15.018
Vulnerable Page: http://99.999.999.99:80/catalog/
advanced_search_result.php
HTTP Request Mode: get
HTTP Status Code: 200
Test Input String: %3CScRipT%20%3Ealert%28%27test%27%29%3B%3C%
2FScRipT%20%3E
Search Pattern:
Pattern Match:
Referrer Page: Gift Voucher FAQ
?osCsid=3fdd2b02b8b4f811a002150f831e127a
Vulnerable Parameter: search_in_description
Vulnerable Parameter: keywords
Vulnerable Parameter: osCsid

This is a generic warning based on a test that indicates that your web
application may not validate user-provided input, such as that provided by
a form. Review your web application to ensure that user data is checked
on the server side of the application (NOT in the web browser) for proper
length and character content. It is recommended that a white-list of
acceptable characters be used, with all other characters being HTML
encoded prior to being sent in response to the client. Review the "Cross-
Site Scripting", "Data Validation", and "Review Code for Cross-site
scripting" pages on OWASP.org (see the reference links in this finding).

It apparently doesn't like the search values (keywords, osCid, and search in description) appended to the URL - advanced_search_result.php?keywords=fuse&search_in _description=1&categories_id=&inc_subcat=1&manufac turers_id=&pfrom=&pto=&dfrom=&dto=&x=29&y=9