reflected xss into a javascript string with angle brackets html encoded