turns out that most of times, untrusted user supplied data slips through JS codes https://www.owasp.org/index.php/Top_10_2017-Top_10