for instance
http://xxx/zkau?dtid=z_9wv5ec89<img%20src%3da%20onerror%3dalert(1)>1571e99e33135221d&cmd_0=onChange&uuid_0=rPHPj&data_0=%7B%22value%22%3A%22ab%22%2C%22start%22%3A2%7D&cmd_1=onClick&uuid_1=rPHPk&data_1=%7B%22pageX%22%3A692%2C%22pageY%22%3A318%2C%22which%22%3A1%2C%22x%22%3A52.20001220703125%2C%22y%22%3A1%7D

-> {"rs":[["cfmClose",[""]],["obsolete",["z_9wv5ec89<img src=a onerror=alert(1)>1571e99e33135221d","script: xxxx"

the "<img src=a onerror=alert(1)>" should not echo back