The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.