Duping XSS on input rather than output

[foobar7]

Situation:
From time to time, triage will close XSS reports as dupes based on input rather than output (so when eg a name input is echoed in entirely different pages/functionalities, they will close reports as dupes of each other). When appealing, it's sometimes resolved by the platform, sometimes passed onto the program to decide, and sometimes reports are left closed.

Resolution:
The platform should correctly triage reports (ideally directly, otherwise on appeal) & dupe XSS on output.

Reasoning:
XSS is an output vulnerability, and that's where the issue needs to be resolved. That's also how it's mostly - but not always - handled. Adding a generic input filter or WAF over the input will not properly fix the issue. Among other, already placed payloads will continue to trigger, allowing continued exploitation.

[hakluke]

Agreed: the XSS vulnerability occurs on the output not on the input, and the submissions should be treated as such.