Vulnerability scanner for asp.net flags cross site scripting

Question

I am running netspark vulnerability test and it flags following url

http://localhost:54923/search/'ns='netsparker(0x005AAD)

I am not able to understand what 'ns='netsparker(0x005AAD) is this part or how to fix this issue i am sanitizing input /search/searchkeyword to make user ENcoding the input also

User enter the keyword in search input box and then page is redirected with search page with the search keyword http://localhost:54923/search/apple

1> it doesn't contain and JS script

 if (filterInput.Contains("onmouseover") || filterInput.Contains("script") || filterInput.Contains("</style>") || filterInput.Contains("</script>") || filterInput.Contains("<") || filterInput.Contains("%3c") || filterInput.Contains("?") || filterInput.Contains("%3f") || filterInput.Contains("alert") )
            {
                search = System.Web.HttpUtility.HtmlEncode(filterInput);
                Response.Write("Invalid Search");
                Response.End();
            }

2> I am adding below line to web.config to make it bit more secure

<httpRuntime targetFramework="4.5" requestValidationMode="2.0" enable="true"  encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>

Based on this i have few question

1. What is 'ns='netsparker(0x005AAD) in the url does it represent js
2. How can i prevent this
3. Measures which i have taken is fine or i need to do more.

After adding few security steps, netsparket still flags it as xss. How can i fix this so that its not flagged

Answer 1

Basically the current code sanitization is based on a blacklist which is a bad practice.

In this specific case you don't need to sanitize but rather Encode the incoming input.

The ASP.Net Input validation in also based on blacklist which is also not secure.