By default, Access Manager performs extensive checks to prevent Cross-site Scripting (XSS) attacks. However, Access Manager does not validate a JSP file if you have customized it. If you modify JSP files to customize the login, logout, error pages, and so forth, you must sanitize the respective JSP file to prevent XSS attacks.
Perform either one of the following options to sanitize the customized JSP file:
HTML Escaping. See Option 1: HTML Escaping in the NetIQ Access Manager 5.0 Administration Guide.
Filtering. See Option 2: Filtering in the NetIQ Access Manager 5.0 Administration Guide
Understanding Relaxed Query Parameters. See Option: 3 Understanding Relaxed Query Parameters in the NetIQ Access Manager 5.0 Administration Guide