Now it automatically adds to all post-forms on page, so when we have form to interact with foreign services we have some disadvantages:
I think we can track it on client side and switch it off (delete) if form requires it.
Fix #1112: Switch off «anti_xss» for outside post forms
Now we can add `xp-off` class to POST form to switch off adding anti XSS
`x` parameter (added by default).