Thread: Fixing cross-site scripting (XSS) in search box

I need your assistant in fixing an issue in the search textbox in one of the jsp's. I was informed that cross site scripting can be done in the textbox and I kept the below code in my jsp to fix the issue:

searchTerm = request.getParameter("search");
 
   searchTerm = searchTerm.replaceAll("<", "<").replaceAll(">", ">");
 
   searchTerm = searchTerm.replaceAll("[^A-Za-z0-9 ]", "");
 
               searchTerm = searchTerm.replaceAll("eval\\((.*)\\)", "");
 
               searchTerm = searchTerm.replaceAll("[\\\"\\\'][\\s]*((?i)javascript):(.*)[\\\"\\\']", "\"\"");
 
               searchTerm = searchTerm.replaceAll("((?i)script)", "");
 
               searchTerm = searchTerm.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
 
               searchTerm = searchTerm.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
 
               searchTerm = searchTerm.replaceAll("'", "& #39;");
 
               searchTerm = searchTerm.replaceAll("script", "");
 
   searchTerm = searchTerm.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
 
   searchTerm = searchTerm.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
 
   searchTerm = searchTerm.replaceAll("'", "& #39;");
 
   searchTerm = searchTerm.replaceAll("eval\\((.*)\\)", "");
 
   searchTerm = searchTerm.replaceAll("[\\\"\\\'][\\s]*javascript<b></b>:(.*)[\\\"\\\']", "\"\"");
 
   searchTerm = searchTerm.replaceAll("script", "");

Now, after applying the above code, the cross site scripting can be done and the problem is that the search can't be done using the textbox and all the time will display none results.

So, can you please assist me in writing the best code and thanks