Comment 8 for bug 1407092

Dmitry, please consider that web services needs to ensure that output sent to clients is encoded to be consumed as data and not as scripts. This gets pretty important when web service clients use the output to render HTML pages either directly or indirectly using AJAX/JavaScript objects.
Receiving JavaScript in the browser (Horizon for example) in HTML/Ajax objects where only data is intended could cause damages.
OTOH we are going to implement automatic security scanning to MOS APIs, so besides above concerns, it will raise false-positives into vulnerability testing engines.