In the datatable draw parameter documentation said
is strongly recommended for security reasons that you cast this parameter to an integer, rather than simply echoing back to the client what it sent in the draw parameter, in order to prevent Cross Site Scripting (XSS) attacks
How can cast a parameter to int can help to prevent Cross Site Scripting.?
You aren't supposed to do anything with it :-). On the client-side it is dealt with automatically by DataTables. On the server-side all you do is cast as int, and send it back. This example shows basic initialisation of server-side processing:
http://datatables.net/examples/data_sources/server_side.html
and for other attack DataTables indicates two ways to prevent an attack.
Prevention
There are two options to stop this type of attack from being successful in your application:
For the first option your server-side script would actively block all data writes (i.e. input) that contain harmful data. You could elect to simply disallow all data that contains any HTML, or use an HTML parser to allow "safe" tags. It is strongly recommended that you use a known and proven security library if you take this approach - do not write your own!
The second option to use a rendering function will protect against attacks when displaying the data (i.e. output). DataTables has two built in rendering functions that can be used to prevent against XSS attacks; $.fn.dataTable.render.text and $.fn.dataTable.render.number.
More Information: https://www.datatables.net/manual/security
