A well-known but sometimes misunderstood vulnerability that remains in the list from 2013. Fairly easy to find and relatively easy to protect against.

Includes some app demos of what this looks like and how to prevent it with validation, encoding and server headers.