I think I mixed up log messages. litespeed blocked a request with the following error message:
mod_security rule triggered!
[Wed Feb 29 16:21:32 2012] [error] [client 192.168.1.10] ModSecurity: Access denied with code 403, [Rule: 'ARGS' '(fromCharCode|http-equiv|<.+>|innerHTML|dynsrc|-->)']
[Msg: XSS attack]
This was not an XSS attack but just some strange request by this application. I disabled this rule, looks good now. The mentioned log entries have nothing to do with this.
Sorry about that.