Last night, I attended the San Francisco Java Meetup which was led by Jason Brittain on the topic of Cross Site Scripting (XSS). This is a serious security problem and Jason offered one solution: using Servlet filters to remove illegal input in user parameters. He has his own filter which will soon be available on SourceForge. He also mentioned the XSS filter from Stripes Framework. These are general solutions that may or may not be appropriate for your application, but they’re worth a look.
A question came up toward the end of the session on how to do this for PHP. My answer was simple: use Servlet filters! Quercus is available as a Servlet, so you can just insert these or other filters in front of (or behind) it. I understand there may be some PHP solutions for this, but this opens the option using a servlet filter as well. This area is still being developed, but if a servlet filter becomes one of the better known, recognized ways of doing really good XSS attack filtering, you’ll be set using Quercus.