That's true. Else such a severe bug will not be discovered.
But it does nothing with Lazarus I think. Lazarus open .md files as plain text, also not highlighted.
About XSS, we can't compare a compiled code vs a script code. I think that was your point of comparing it with Lazarus: Lazarus can never get a XSS by it's nature if you don't include a javascript or another scripting language on it (PascalScript, Lua, anything).
But if you do?
The same happens for WebView apps for Android, if you enable JavaScript your code is highlighted with a warning.
But in Lazarus we don't have the benefits of the web world. The web is a double edged sword.