Security isn't something you can add after the fact, it's something that needs to be designed in from the start. If you developed the complete app without regard for security -except for what you mentioned- then you'll likely have some refactoring to do. The SecurityFaq lists a lot of the issues that needs to be addressed especially for web apps, including XSS and SQL injection.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com