docs: update XSS detector scope

Document the new DOM sink coverage for innerHTML, srcdoc,\ninsertAdjacentHTML, document.write, and React\ndangerouslySetInnerHTML, and clarify the JSON policy.

Author: oetr

docs/bug-detectors.md

@@ -136,10 +136,12 @@ _Disable with:_ `--disableBugDetectors=ssrf` in CLI mode; or when using Jest in
 
 ## Cross-Site Scripting (XSS)
 
-Detects active XSS payloads that survive common HTML sanitizers and HTML
-responses. The built-in detector validates return values from `sanitize-html`
-and `xss`, and inspects `http`/`http2` HTML responses for executable markup such
-as inline scripts, event handlers, `srcdoc`, and `javascript:` URLs.
+Detects active XSS payloads that survive common HTML sanitizers, server-side
+HTML responses, and instrumented DOM-writing sinks. The built-in detector
+validates return values from `sanitize-html` and `xss`, inspects `http`/`http2`
+HTML responses, and instruments `innerHTML`, `outerHTML`, `srcdoc`,
+`insertAdjacentHTML`, `document.write`, `document.writeln`, and React's
+`dangerouslySetInnerHTML` data structure.
 
 _Configuration:_ Additional sanitizer functions can be registered in the
 [custom hooks](./fuzz-settings.md#customhooks--arraystring) file.
@@ -152,9 +154,10 @@ getBugDetectorConfiguration("xss")
 	?.setMaxCapturedBodyBytes(256 * 1024);
 ```
 
-_Scope:_ The detector currently covers server-side HTML output and sanitizer
-return values. DOM property sinks such as `innerHTML` still require dedicated
-instrumentation and are not part of this built-in detector yet.
+_Scope:_ The detector covers sanitizer outputs, HTML response sinks, and the DOM
+sinks listed above. It does not treat `application/json` as an XSS sink by
+default; JSON-driven XSS is instead caught once poisoned data reaches an
+instrumented DOM sink.
 
 _Disable with:_ `--disableBugDetectors=xss` in CLI mode; or when using Jest in
 `.jazzerjsrc.json`: