comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.
/* <![CDATA[ */
var a = "\"'><qss%20a=@REQUESTID@>";
/* ]]> */
The response does not have a vulnerability.
- <> characters do not have to be HTML encoded. They are inside a CDATA section.
- " character is correctly encoded as \". It is inside a JS string wrapped inside " character.
- ' character does not have to be encoded. It is inside a JS string that is not wrapped inside ' character.