C# code causing XSS vulnerability

Hello,

We get a vulnerability scan that is show that one of my pages is susceptible to a XSS attack.  We are using a telerik tree view to display different data when the nodes are expanded.  This is the information they reported back to me.

Issue Detail

The value of the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter is copied into the HTML document as plain text between tags. The payload sbi7s<script>alert(1)</script>tx52l was submitted in the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter. This input was echoed unmodified in the application's response.

Request

older1_VIndex2_tvIndex_ClientState=%7b%22expandedNodes%22%3a[]%2c%22collapsedNodes%22%3a[]%2c%22logEntries%22%3a[]%2c%22selectedNodes%22%3a[]%2c%22checkedNodes%22%3a[]%2c%22scrollPosition%22%3a%220**sbi7s%3cscript%3ealert(1)%3c%5c%2fscript%3etx52l**%22%7d&ctl00_RadWindowManager1_ClientState=&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24VIndex2%24btnAddCart=Add%20To%20Cart

Response

> HTTP/2 200 OK
> Cache-Control: no-cache 
> Pragma: no-cache 
> Content-Type: text/plain; charset=utf-8 
> Expires: -1 
> Server: Microsoft-IIS/10.0 
> X-Powered-By: ASP.NET 
> X-Frame-Options: SAMEORIGIN 
> X-Ua-Compatible: IE=edge,IE=11,IE=10,IE=9,IE=8,IE=7 
> Strict-Transport-Security: max-age=31536000 
> Date: Wed, 19 Mar 2025 16:26:27 GMT 
> Content-Length: 82 
> 68|error|500|0**sbi7s<script>alert(1)</script>tx52l** is not a valid value for Int32.|

What is the best way to pinpoint this issue?  How do I fix this so it isn't showing up on the scans?