This is a results from McAfee secure regarding XSS from shoppica2

The goal of this test is to verify unsuccessful input validation. In many cases, the demo does may not test successfully in the browser to prove vulnerability. Newer browsers will encode attack strings on the fly in order to prevent attacks from working properly. The end result is the browser makes the demo tool seem like it’s not working.

Luckily, there are other tools that can mimic the findings of the scanner. In these cases you would have to use a proxy tool to make the adjustments to the request, or you can use the commandline tool called cURL (commandline URL) in order to replicatethe issue. The curl commandline is useful since it does not use XSS evasion techniques. It’s available with Unix/Linux platforms also with Cygwin (for windows).

The following example will make a specially crafted request and will filter out all lines except those which contain the attack string and may include five lines before/after it to help pinpoint its location in the page:

$ curl –max-time 10 -iskL ‘http://www.apasaja.biz/catalog/view/theme/shoppica2/stylesheet/ie.css.php?v=2.2.2&theme=>”>’ –header “Referer: http://www.apasaja.biz/” | egrep -B5 ‘”>/javascript/pie/PIE.php);

How to resolve this?