防止Ajax rsargs中的XSS []

I have a php ajax site and found that there is a possibility of XSS in the ajax library. Please find the request and response below. the rsargs[] parameter can take any script or value and thus vulnerable to attacks. tried so far: html encoding - Didn't work because it trims off my content

In the below sample application is giving out files in the windows directory.

Request:

POST /Weblogin.php HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: https://xxx.xx.xx.xx/Code/weblogin.php
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0;                     SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 172.25.152.91
Content-Length: 144
Connection: Keep-Alive
Cache-Control: no-cache
        rs=GetWaitTime&rst=&rsrnd=1395815006191&rsobj=&rsargs[]=37091&rsargs[]=42lqd7b000&rsargs[]=../../../../../../../../../../windows/setupact.log%00

Repsonse:

HTTP/1.0 200 OK
Date: Wed, 26 Mar 2014 06:39:30 GMT
Server: Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0
X-Powered-By: PHP/5.3.0
Connection: close
Content-Type: text/html

dispci.dll:  ============BEGIN DisplayClassInstaller============
dispci.dll:  ============BEGIN OnSelectBestCompatDrv============
dispci.dll:  ============END OnSelectBestCompatDrv==============
dispci.dll:  DisplayClassInstaller: Returning 0xe000020e for DIF 0x17 and device PCI\VEN_1002&DEV_515E&SUBSYS_01E61028&REV_02\4&1FC3087&0&28F0
dispci.dll:  ============END DisplayClassInstaller==============
dispci.dll:  ============BEGIN DisplayClassInstaller============
dispci.dll:  ============BEGIN OnDestroyPrivateData============
dispci.dll:  ============END OnDestroyPrivateData==============
<br />
<b>Fatal error</b>:  Call to undefined function get_wait_time() in <b>C:\xampp\htdocs\Code\functions\Parent Functions\GetWaitTime.php</b> on line <b>11</b><br />

This is not an XSS vulnerability, it is Path Traversal. You appear to be using one of the arguments to construct a file path, then read that file. Instead of html encode, you should validate user input used in file path construction. You can consult OWASP Guide to protect your application.