[dwg]

You're correct that the script tag will not show. However, we train our testers to use special characters, including < and >, in their test data. It happens that the environment in which we spotted the vulnerability was our QA environment.

[dgalling]

The 3D view definitely makes it a bit more visible, but as someone who has spent a considerable amount of time testing XSS filters, it's not all that useful, since you generally know exactly where in the output your input will be, and also because looking at the raw output (not the constructed DOM tree) is a better way to identify XSS vulns.

It's a cool observation nonetheless, and props for catching XSS vulns in your QA environment, not production ;)