A story from a real pentest, where a strange cross-site scripting vulnerability was mistaken for a much more severe server-side template injection.