TL;DR
Output encoding is the primary defense against XSS. Different contexts (HTML, JavaScript, URLs, CSS) need different encoding. Modern frameworks escape automatically, but you must avoid bypassing these protections. These prompts help you implement context-aware encoding.
Context-Aware Encoding
Encode for Each Context
Review my templates and ensure proper encoding for each context.
Different contexts need different encoding:
- HTML Body: Encode < > & " ' {htmlEncode(userInput)}
- HTML Attributes: Encode all non-alphanumeric
- JavaScript: JSON.stringify or JS-encode var data = {JSON.stringify(userInput)};
- URLs: Use encodeURIComponent
- CSS: Encode or avoid user input entirely (Extremely dangerous - avoid if possible)
Review each template file for:
- Places where user data is rendered
- Whether correct encoding is applied
- Any bypasses like dangerouslySetInnerHTML
Flag any unencoded output of user data.