XSS Encoding Lab

Practice encoding untrusted data for the right output context. This is a conceptual drill — the goal is to build the habit of encoding to where data is used.

Output context

Pick the context where your untrusted value will be inserted.

Context

Untrusted input

Try including quotes, angle brackets, and event handlers.

Encoded output

&lt;img src=x onerror=alert(1)&gt;
&quot; onmouseover=alert(1) x=&quot;

HTML encoding is for text nodes. For JS/CSS contexts, use context-specific escaping and avoid string-building where possible.

This training content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly. Send corrections to [email protected].