Reflected Unsanitized Error Messages

A recurring input-reflection shape where user-supplied data is echoed back in API error/response messages without sanitization, so attackers can inject markup or script tags and observe them reflected to the caller.