Which vulnerability occurs when user-supplied input is reflected in a web page without proper sanitization and executes in a victim's browser?