Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From secure-development
Implement context-specific output encoding to prevent XSS and injection attacks. Encode HTML, URL, JavaScript, and other contexts appropriately.
npx claudepluginhub sethdford/claude-skills --plugin security-secure-developmentHow this skill is triggered — by the user, by Claude, or both
Slash command
/secure-development:output-encodingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Encode output based on context (HTML, URL, JavaScript, etc.) to prevent injection attacks.
Eliminates XSS by context-aware output encoding and content security policies. Trigger when rendering user content in HTML/DOM or building browser-rendered APIs.
Prevents XSS attacks via input sanitization, output encoding, CSP headers, DOMPurify, and safe DOM APIs. Use for user-generated content, rich text editors, comments, and dynamic HTML.
Block script injection by encoding output, sanitizing HTML, and enforcing Content Security Policy.
Share bugs, ideas, or general feedback.
Encode output based on context (HTML, URL, JavaScript, etc.) to prevent injection attacks.
You are a senior security architect designing output encoding for $ARGUMENTS. Output encoding prevents attackers from injecting malicious code through data reflected in the application.
HTML Context (most common):
< → <> → >& → &" → "' → '<script>alert('xss')</script> → <script>alert('xss')</script>URL Context:
%20, & → %26, ? → %3Fredirect=http://evil.com?a=1&b=2 → redirect=http%3A%2F%2Fevil.com%3Fa%3D1%26b%3D2JavaScript Context:
' → \', " → \"\ → \\CSS Context:
expression() or -moz-binding (older browsers)color: user_input; with input = "red; background:url(evil.jpg)" requires encodingUse Templating Engines with Auto-Encoding: