Fixing cross-site scripting (XSS) in search box

I need your assistant in fixing an issue in the search textbox in one of the jsp's. I was informed that cross site scripting can be done in the textbox and I kept the below code in my jsp to fix the issue:
searchTerm = request.getParameter("search"); searchTerm = searchTerm.replaceAll("<", "<").replaceAll(">", ">"); searchTerm = searchTerm.replaceAll("[^A-Za-z0-9 ]", ""); searchTerm = searchTerm.replaceAll("eval\\((.*)\\)", ""); searchTerm = searchTerm.replaceAll("[\\\"\\\'][\\s]*((?i)javascript):(.*)[\\\"\\\']", "\"\""); searchTerm = searchTerm.replaceAll("((?i)script)", ""); searchTerm = searchTerm.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); searchTerm = searchTerm.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); searchTerm = searchTerm.replaceAll("'", "& #39;"); searchTerm = searchTerm.replaceAll("script", ""); searchTerm = searchTerm.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); searchTerm = searchTerm.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); searchTerm = searchTerm.replaceAll("'", "& #39;"); searchTerm = searchTerm.replaceAll("eval\\((.*)\\)", ""); searchTerm = searchTerm.replaceAll("[\\\"\\\'][\\s]*javascript<b></b>:(.*)[\\\"\\\']", "\"\""); searchTerm = searchTerm.replaceAll("script", "");

Now, after applying the above code, the cross site scripting can be done and the problem is that the search can't be done using the textbox and all the time will display none results.

So, can you please assist me in writing the best code and thanks

We can't help with why your search no longer works, as you haven't posted any of the code related to that. But I do see a whole lot of string replacing that does not seem to make much sense; can you walk us through what you're trying to achieve by those?

If the aim is to display the search terms safely on a web page then the thing to do is to replace pointy brackets, basically what line 13 or 21 does (if you remove the superfluous spaces).

A rather different task is to remove everything from the search term that might confuse the search engine. Now we can't advise on how to go about that because you haven't told us anything about how that works.

Are you using PreparedStatement for your JDBC?

There is a lot of misinformation of cross site scripting out there. Be careful of the sources you use. The first place I would check is:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

For cross site scripting, you should be escaping untrusted data when outputting it on a page. The tag libraries for web frameworks should have a way of doing this for you.

A blacklist approach like you're using is not recommended. It always leaves many holes in the filtering. For example, you're escaping "eval()" but not "eval ()". See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for how these filters can be bypassed.

Luckily, this is a solved problem. If you need escaping, use premade, fully tested libraries like:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

Replacing input parameters has a few problems. One is that you are removing or corrupting valid user input as well as malicious input. What if the user wants to search for "script"? Another is that it doesn't take output context into account. Data that is safe for attribute values might not be safe for css styles, or javascript contents. This is why these encoder libraries focus on escaping output rather than input, and they have multiple escape methods depending on context.

I'm wondering if it's really SQL Injection that he needs to worry about (though XSS is also a concern).