HTML Contextual Autoescaping Testbench

This is a testbed for a Java HTML autoescaper which aims to protect template languages from XSS.

You can enter a template in the box labeled "Template" and {{.X.Y}} will cause interpolation of the property Y of the property X of the JSON data value from the second input. The template is assumed to be trusted, and the JSON data is assumed to be malicious. An exploit occurs whenever a template that a naive but trusted author is likely to write suffers an XSS when rendered with any data value.

You can browse the source code online.

Please report issues to or issue tracker.

Input JSON