JavaScript string context breakout
Check whether user input can break out of script-block strings, JSON boot state, or inline event code.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify that user input is not written directly into script blocks
- Verify that safe JSON serialization handles closing </script> tokens
- Do not rely on HTML encoding to protect JavaScript string contexts
Payload
Payload to copy
Use this when a value is inserted inside a JavaScript string literal.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- XSS defense must account for the output context. A value placed inside
<script>window.__DATA__ = "..."</script>needs JavaScript-string encoding, not ordinary HTML escaping. </script>can terminate the HTML script element even when it appears inside a JavaScript string. Boot-state JSON needs safe serialization and closing-token escaping.- Prefer keeping untrusted values out of script blocks entirely: fetch JSON separately, or render via text/attribute DOM APIs.