thought the report, the comments say:
"comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as
expected for a successful exploit. This result should be manually verified to determine its accuracy."
Since the DOM was not modified, this would mean there is no vulnerability detected.
what the comments mean is that they tried to perform a cross site scripting attack, a lot of the attempt is left in tact, but the crucial < and > characters needed to make the attack actually work are being converted to < and > html entities, thus negating the attack.