In the <head>-section of your page it outputs the requested url:
...
<link rel="canonical" href="https://www.domain.de/blog/webblog/Arbeitsrechtz3q28"><img src=a onerror=alert('XSS_Attack')>pjbsf/ HTTP/1.1/"/>
</head>
Find the template/chunk where you output this <link>-tag and apply the htmlentities output modifier.
Btw. You probably shouldn’t publicly release your real domain name when you have security issues.