#2 Scanner should not rely only on echoback

[KKT]

The context in which string appears decides whether XSS
code gets executed on victims browser. e.g.
<a href="<script>alert(123)</script>"> here alert will
not get generated. We need to escape out of " to get an
alert.

Parsing DOM of response could help here.