I have the same issue reported from PEN test
It was identified that the application was vulnerable to Reflective Cross-Site Scripting.
During testing, it was identified that it was possible to append arbitrary parameters to the HTTP request URLs and the server returned the full URL in the response without any encoding. By injecting scripts as the arbitrary parameter appended to the request, it was possible to have the script returned in the response and have it executed by the browser.
It is to be noted that, for the attack to be effective, the victim browser must not URL-encode the request. As most modern browsers do automatically encode the URL, this limits the potential victims to only those users who use old browsers (e.g. Internet Explorer 8) to visit the application, with Cross-Site Scripting protection disabled.
I have applied the fix from the above post but when running an IE8 browser (emulation) with XSS off, it doesn't encode the url querystring