About “Cross-Site Scripting”:
Cross-site scripting (XSS) happens when a service renders a user’s input directly into HTML without applying input escaping.
I’d prefer “without applying input encoding”.
“escaping” and “encoding” could be used for the same purpose. Even OWASP talks about “encode/escape” in some pages. However, I’d prefer “encoding” because of this reason: