Cross-site scripting flaws plague web applications, report says