XSS is well known vulnerability in JSP. There are lot of information on web (and on stack overflow) about preventing XSS in JSP.
I have found printing user input with <c:out> is most commonly used approach. It escapes xml characters.
Second approach is using Jsoup or Owasp libraries for sanitizing user input. They escape html characters.
I have tried using Jsoup for sanitizing user input. It works well for html based XSS attacks, but it does not sanitize characters like: ". XSS attacks are possible as " can close html attribute tag and add malicious script inside tag.
I have tried using <c:out> to print user input in JSP. It seems to protect against all XSS attacks, but I can't find is that assumption correct on web.
There are similar questions of stack overflow, but none of them answers following question: "Is <c:out> used for printing user input on JSP protecting against all XSS attacks?". (If it is not how can I prevent XSS attacks in JSP)