Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections.