dotCMS has code in the CMSFilter that try to solve issues with XSS attacks, but that code is never called by the 404 page.

This is becuase for all velocity served by the CMS, we use something called 

   - com.dotmarketing.viewtools.RequestWrapper 

that solves that problem overwriting the get parameter and check for a XSS parameter before return it 

public String getParameter(String arg0) { 
String ret = _request.getParameter(arg0); 
if(UtilMethods.isSet(ret) && Xss.URLHasXSS(ret)){ 
ret = UtilMethods.htmlifyString(ret); 
} 
return ret; 
} 

The problem is on the files that are not displayed by the CMS, but by the servlet container, for example the 404, 403, 500 pages, that are .jsp and display all the parameters sent to those pages, and will try to display also the parameter with the XSS attack and will run the javascript. 

Also in the CMSFilter we have 

   if(Xss.URLHasXSS(uri)) 

Which uses the uri as a parameters, but the uri only ahs the link to the resource without the parameters, so it doesn't filter this case 

• Delete or override the dotCMS error jsps found under /dotCMS/portal/ to prevent XSS attacks;
• Or, upgrade to the latest dotCMS version.

• http://jira.dotmarketing.net/browse/DOTCMS-5342