our company has made a website for our client. The client hired a webs security company to test the pages for security before the product launches.We've removed most of our XSS problems. We developed the website with zend. We add the StripTags, StringTrim and HtmlEntities filters to the order form elements.They ran another test and it still failed 
They used the following for the one input field in the data of the http header: \[code\]name=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E\[/code\] which basically translates to \[code\]name=<script>alert(123);</script>\[/code\]I've added alpha and alnum to some of the fields, which fixes the XSS vulnerability (touch wood) by removing the %, however, now the boss don't like it because what of O'Brien and double-barrel surnames...I haven't come across the %3C as < problem reading up about XSS. Is there something wrong with my html character set or encoding or something?I probably now have to write a custom filter, but that would be a huge pain to do that with every website and deployment. Please help, this is really frustrating.EDIT:if it's about escaping the form's output, how do I do that? The form submits to the same page - how do I escape if I only have in my view \[code\]<?= $this->form ?>\[/code\]How can I get Zend Form to escape it's output?
They used the following for the one input field in the data of the http header: \[code\]name=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E\[/code\] which basically translates to \[code\]name=<script>alert(123);</script>\[/code\]I've added alpha and alnum to some of the fields, which fixes the XSS vulnerability (touch wood) by removing the %, however, now the boss don't like it because what of O'Brien and double-barrel surnames...I haven't come across the %3C as < problem reading up about XSS. Is there something wrong with my html character set or encoding or something?I probably now have to write a custom filter, but that would be a huge pain to do that with every website and deployment. Please help, this is really frustrating.EDIT:if it's about escaping the form's output, how do I do that? The form submits to the same page - how do I escape if I only have in my view \[code\]<?= $this->form ?>\[/code\]How can I get Zend Form to escape it's output?