They don't want to fix XSS (they also need to be fined for their presence)? Don't want to support the latest browsers? Of course, "to establish cooperation."

If I were you, I would also write indignantly so that everyone knows about them.

You know, XSS might not be your biggest problem, judging by their expertise.

This is unlikely to be a popular answer here, judging by the above, but
1) XSS is definitely bad. And they certainly need to be corrected. But whether a developer should do this for free depends on the situation.
1a) If you ordered the development of the engine and they are trying to hand it over to you "as is", then the developer must certainly fix everything for free.
1b) If a developer on your payroll was working on this engine, and now he has already been fired, then it is strange to demand this from him for free.
1c) If you ordered the development of the engine and after X months an XSS vulnerability was found, then everything depends on common sense. We personally, as developers, fix everything for free within six months, if suddenly something is found, but if more than six months have passed - sorry, the price list is already there.
1d) If you bought the engine, then see the terms of the agreement. The price of an engine usually directly depends on whether the developer fixes something or provides it as is.
2) Regarding different modern browsers and layout, everything is a little simpler, but again, not so clear.
2a) If you demand from the developer that the site look the same everywhere, but at the same time the content in your html editor is stuffed by a secretary who is only familiar with the Word, sorry, the developer is 100% right here
. not for a programmer. So, depending on what the developer provided you, if it was not him who did the layout, but you provided it and he only pulled it, then questions to the layout designer.
2c) Making the site absolutely perfect and looking the same in all browsers is a tricky task. Perhaps, but few people do this “by default”, some not very significant nuances are allowed. So it all depends on how picky you are. If the pixel moved a little in one of the versions of chrome, then IMHO in vain. And if all the content went to half of the browsers, then this is another matter already.

Hindu code .

Well, show them sites that do not have XSS, since they ask so.

If people don’t know how to type and program, then it’s not clear why they take money. You should not cooperate with such developers.

If in a restaurant, there was someone's hair in your food, and the waiter, instead of apologizing and offering you a dessert at the expense of the institution, asked to see a restaurant where there is no hair in the food, you would begin to think whether it is worth "terminating cooperation "?

Tie up. And the sooner the better.

I support previous speakers.