reflected xss into html context with most tags and attributes blocked