The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.