Best Approach for removing XSS Vulnerability

There is a good resource from OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet

Basically you should validate all input data using white list approach (define valid patterns not invalid patterns as you are trying to do at this moment) AND you should encode all data on output using encoding scheme correct for given context (HTML, JavaScript, HTML attribute).

Correct encoding is quite difficult and you shouldn't be doing it by yourself. Instead you should use library like Microsoft AntiXSS Library or OWASP ESAPI.

You can also use ModSecurity (or other WAF) with correct detection rules (i.e. ModSecurity Core Rule Set), but be aware that this should not be the only solution you use.


Nope. You should not try to fix XSS by doing URL rewriting in your Apache web server. That's not a good way to go about it, as the result will be fragile at best. In particular, if you stick with your current approach, there will most likely still be sneaky ways to exploit the XSS.

Instead, if the web application has XSS holes in it, fix the darn web application. This is an application security problem; you have to fix it by fixing the application. Trying to patch things up externally is probably going to be leaky like a sieve.

P.S. Your list of keywords is insufficient. You've built a blacklist, and like any other blacklist, your blacklist is inevitably incomplete. You're missing some stuff (* cough * onerror * cough *). I'm not going to try to provide you with a more complete list, because the approach is fundamentally broken and rather than sticking with the approach and trying to extend your list of attributes to filter -- you need to ditch the current approach entirely and fix the problem at its source.