Comment 2 for bug 1417762

Adding horizon-coresec for debunking...

As the report stands, it hardly qualifies as XSS since the output is not HTML but JSON... I don't see why you would HTML-encode that output ? Or can you leverage the same bug on HTML output ?