XSS is one of the more serious things in appsec, and it's pretty prevalent. It’s also one of those things that is super hard to find accurately via static analysis. And, vendors don’t want to miss it — so, typically any data that gets to a response, ...