If your website takes any part of the HTTP request from a user and displays it back to them, you could be enabling another vector by which a malicious third-party could inject JavaScript. Let's see how.