Skill

output-encoding

Implement context-specific output encoding to prevent XSS and injection attacks. Encode HTML, URL, JavaScript, and other contexts appropriately.

From secure-development

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-secure-development

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Context Matters: HTML encoding ≠ URL encoding ≠ JavaScript encoding; use the right encoding for the context

Defense in Depth: Validation prevents bad input; encoding prevents bad output from being executed

Double Encoding Risk: Don't double-encode (encode then encode again); decode once, encode once per context

Instructions

HTML Context (most common):

< → <
> → >
& → &
" → "
' → '
Example: <script>alert('xss')</script> → <script>alert('xss')</script>

URL Context:

Encode special characters: space → %20, & → %26, ? → %3F
Use URL-safe encoding (percent-encoding/RFC 3986)
Example: redirect=http://evil.com?a=1&b=2 → redirect=http%3A%2F%2Fevil.com%3Fa%3D1%26b%3D2

JavaScript Context:

Escape quotes: ' → \', " → \"
Escape backslashes: \ → \\
Avoid dynamic code generation with untrusted input (instead use JSON and JSON.parse)
Example: data passed to JavaScript should be JSON-encoded, then parsed safely

CSS Context:

Escape special characters: newline, quote, backslash
Avoid using expression() or -moz-binding (older browsers)
Example: color: user_input; with input = "red; background:url(evil.jpg)" requires encoding

Use Templating Engines with Auto-Encoding:

Modern frameworks (React, Vue, Angular, Django, Jinja2) auto-escape HTML by default
Understand when auto-escaping is disabled (raw/unescape filters) and use only when necessary
Never disable auto-escaping globally; only for specific trusted data

Anti-Patterns

Relying on client-side encoding; always encode server-side

Encoding in the wrong context; HTML encoding is not URL safe; don't reuse encodings

Double-encoding; if data is already JSON-encoded, don't HTML-encode it again

Trusting "frameworks handle it"; verify auto-escaping is enabled; some template engines have it disabled by default

Encoding user input instead of output; validate input, encode output; these are separate concerns

Domain Context

Context Matters: HTML encoding ≠ URL encoding ≠ JavaScript encoding; use the right encoding for the context

Defense in Depth: Validation prevents bad input; encoding prevents bad output from being executed

Double Encoding Risk: Don't double-encode (encode then encode again); decode once, encode once per context

Instructions

HTML Context (most common):

< → <
> → >
& → &
" → "
' → '
Example: <script>alert('xss')</script> → <script>alert('xss')</script>

URL Context:

Encode special characters: space → %20, & → %26, ? → %3F
Use URL-safe encoding (percent-encoding/RFC 3986)
Example: redirect=http://evil.com?a=1&b=2 → redirect=http%3A%2F%2Fevil.com%3Fa%3D1%26b%3D2

JavaScript Context:

Escape quotes: ' → \', " → \"
Escape backslashes: \ → \\
Avoid dynamic code generation with untrusted input (instead use JSON and JSON.parse)
Example: data passed to JavaScript should be JSON-encoded, then parsed safely

CSS Context:

Escape special characters: newline, quote, backslash
Avoid using expression() or -moz-binding (older browsers)
Example: color: user_input; with input = "red; background:url(evil.jpg)" requires encoding

Use Templating Engines with Auto-Encoding:

Modern frameworks (React, Vue, Angular, Django, Jinja2) auto-escape HTML by default
Understand when auto-escaping is disabled (raw/unescape filters) and use only when necessary
Never disable auto-escaping globally; only for specific trusted data

Anti-Patterns

Relying on client-side encoding; always encode server-side

Encoding in the wrong context; HTML encoding is not URL safe; don't reuse encodings

Double-encoding; if data is already JSON-encoded, don't HTML-encode it again

Trusting "frameworks handle it"; verify auto-escaping is enabled; some template engines have it disabled by default

Encoding user input instead of output; validate input, encode output; these are separate concerns

output-encoding

output-encoding

Output Encoding

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Output Encoding

Context

Domain Context

Instructions

Anti-Patterns

Further Reading