Greetings to all. This is English translator.
My application is java server face 2.1 and primefaces 3.5
safety tests are inserting the following script (XSS) on request: _LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource = / views / loginsucursalvirtual / View.xhtml]]> </ ErrorMessage> <EvilTag> NeoSecure_Octubre2016 < / EvilTag> <ErrorMessage> <! [CDATA [viewId!:
Finally, the request is like: http: // IP: PORT / web / company / home p_p_cacheability = cacheLevelPage & p_p_col_count = 2 & p_p_col_id = column-?1 & p_p_col_pos = 1 & p_p_id = LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet & p_p_lifecycle = 2 & p_p_mode = view & p_p_state = normal & _LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource = / views / loginsucursalvirtual / View.xhtml% 5D% 5D% 3E% 3C / errormessage% 3E% 3CEvilTag% 3ENeoSecure_Octubre2016% 3C / EvilTag% 3E% 3Cerrormessage% 3E% 3C!% 5BCDATA% 5BviewId: & _ LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__jsfBridgeAjax = true & A4284% 3Aj_idt8 = A4284% 3Aj_idt8 & A4284% 3Aj_idt8% 3Aj_idt19 = A4284% 3Aj_idt8% 3Aj_idt19 & A4284% 3Aj_idt8% 3Apassword = xxxxx & A4284% 3Aj_idt8% 3Arut = xxxxx & javax.faces.encodedURL=http%3A%2F%2FIP%3APORT%2Fweb%2Fcompany%2Fhome%3Fp_p_id%3DLoginSucursalVirtual_WAR_LoginSucursalVirtualportlet% 26p_p_lifecycle% 3D2% 26p_p_state% 3Dnormal% 26p_p_mode% 3Dview% 26p_p_cacheability% 3DcacheLevelPage% 26p_p_col_id% 3Dcolumn-1%26p_p_col_count%3D2%26p_p_col_pos%3D1%26_LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__jsfBridgeAjax% 3Dtrue% 26_LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource%3D%252Fviews%252Floginsucursalvirtual%252Fview.xhtml & javax.faces.partial.ajax = true & javax.faces.partial.execute =% 40all & javax.faces.source = A4284% 3Aj_idt8% 3Aj_idt19 & javax.faces.ViewState = -764305338050689266% 3A8833452760774064468

as I can prevent parameter is inserted at the request of Liferay with JSF?

Thank you.