As far as I can tell, this is only ever going to be visible from a malicious client (ie somebody running telnet), and is not able to be triggered from a browser (so no actual XSS).
As far as I can tell, this is only ever going to be visible from a malicious client (ie somebody running telnet), and is not able to be triggered from a browser (so no actual XSS).