While in production we came to some recent XSS vulnerability in our application. Our application has all the security patches with the XSS filter. I have 2 questions here:
OOTB, are we using any white-list sanitization?
Why are we relying on Blacklist sanitization as is highly impractical to identify all possible XSS Payloads and this approach is not recommended.