The software receives input from an upstream component, but it
does not neutralize or incorrectly neutralizes special characters such as
"<", ">", and "&" that could be interpreted as web-scripting elements
when they are sent to a downstream component that processes web
pages.