Prepare for Content Security Policy violation reports, Switch to enforcing Content Security Policy. The #redir route is executed by another file, redir.html. Never put untrusted data into your HTML input, unless you follow the rest of the steps below. Encoding at the point of output allows you to change the use of data, for example, from HTML to a query string value. document.createElement(""), element.setAttribute("","value"), element.appendChild() and similar are safe ways to build dynamic interfaces. For example, a numeric string containing only the characters 0-9 won't trigger an XSS attack. OWASP recommends these in all circumstances. XSS is one of the most common and dangerous web vulnerabilities, and it is . \u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074, \u0077\u0072\u0069\u0074\u0065\u006c\u006e, "\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064", "\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0031\u0029", "url(<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForURL(companyName))%>)", '<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForURL(userRelativePath))%>', "<%= Encode.forJavaScript(untrustedData) %>", "<%=ESAPI.encoder().encodeForJavascript(untrustedData)%>", "customFunction('<%=doubleJavaScriptEncodedData%>', y)", //HTML encoding is happening in JavaScript, "javascript:myFunction('<%=untrustedData%>', 'test');", "javascript:myFunction('<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForURL(untrustedData)) %>', 'test');",