In a recent discussion about a security vulnerability scanner that returns false positives for XSS detection, I noticed that the scanner just inject a string like "this_is_my_string_" (without the double quotes) and if it sees the string in the HTML response it says that there exist an XSS.
Talking with the author of the scanner, I asked him how it is possible to say that there exist an XSS just inserting that kind of string without < > ' " or any special char (just _). He says that as the scanner does not still include a JS interpreter and the detection will always be unreliable and manual confirmation will be needed.
Is it absolutely necessary to use a JS interpreter to detect automatically XSS vulnerabilities?
Will it be very unreliable to insert the called XSS locator 2 of the OWASP:
'';!--"<XSS>=&{()}
and look for special chars not being encoded in the response? Why?