Proposed Changes

• add XSS context analyzer integration for fuzzing flow and context-aware payload replay
• handle issue #7086 edge cases in context classification:
  • classify javascript: URIs as executable script context
  • avoid treating <script type="application/json"> blocks as executable script
  • make reflection checks robust against case-transformed reflections
  • classify srcdoc attribute context as HTML-injection context
• fix spaced quoted attribute handling in tokenizer-based context detection
• add/extend regression tests under pkg/fuzz/analyzers/xss/context_test.go

Proof

• Added focused regression coverage in pkg/fuzz/analyzers/xss/context_test.go for the reported edge cases.
• Local go test not executed in this environment because Go toolchain is unavailable in PATH.

Checklist

• PR created against dev
• All checks passed locally (toolchain unavailable in this runner)
• Tests added for regression coverage
• Documentation not required for this bugfix scope

/claim #7086

Summary by CodeRabbit

• New Features
  • Added a context-aware XSS analyzer with payload replay/verification and new reflection-detection utilities and types.
• Bug Fixes
  • Improved thread-safety for random utilities and exported a stabilized random string helper.
  • Prevented nil-map/state leakage by isolating analyzer parameters per invocation.
  • Analyzers now receive HTTP response body, headers, and status for richer analysis.
• Tests
  • Added extensive unit tests and benchmarks for reflection/context detection.