One of the first things on any security auditor’s list is checking to see if a site is vulnerable to cross-site scripting (XSS).