We have a custom login page deployed and it looks like when you put in a script in the URL like = accesskey="x"onclick="alert(1)"// 

Example: https://www2.xxxx.com/siteminderagent/forms/ipslogin.fcc?TARGET=-SM-HTTPS:%2F%2F%22accesskey%3D%22x%22onclick%3D%22alert(1)%22%2F%2Fz43jn

can pop up with a error. 

We were able to reproduce this only in Firefox and not on any other browsers.  How can we prevent this type of attack.

Release : ALL

Component : SITEMINDER -WEB AGENT FOR APACHE

The Web Agent had not been configured to block the risky characters used in the attack, namely the double quote character (%22).

Add %2522 to the BadQueryChars ACO parameter to block use of double quotes in request query strings.  Alternatively, %22 can be added to the BadURLChars ACO parameter.