HTML Contextual Autoescaping Testbench

This is a testbed for a Java HTML autoescaper which aims to protect template languages from XSS.

You can enter a template in the box labeled "Template" and {{.X.Y}} will cause interpolation of the property Y of the property X of the JSON data value from the second input. The template is assumed to be trusted, and the JSON data is assumed to be malicious. An exploit occurs whenever a template that a naive but trusted author is likely to write suffers an XSS when rendered with any data value.

You can browse the source code online.

Please report issues to mikesamuel@gmail.com or issue tracker.

Template
Input JSON