Nothing to do with XSS. This is just a poor addon. It has an overabundance of flaws and does not secure your site from anything more than a snooping bot or otherwise. Using this will place your payment modules at risk as it may block their callback URLs. It is also very resource intensive. There are much more elegant ways to implement something that will block prying eyes. If you read this topic well you will see that many users suffer from trying to use this addon. This mod appears to be started from an idea posted on these forums between a few other individuals some time back. Perhaps real support can be found in that thread.