---
title: Escape Data By Output Context
impact: MEDIUM
impactDescription: ensures correct encoding for each output context
tags: xss, escaping, context, encoding, security
---

## Escape Data By Output Context

Different contexts require different escaping strategies. Using HTML encoding in a JavaScript context doesn't prevent XSS.

**Incorrect (wrong encoding for context):**

```go
// Wrong: same escape for all contexts
escaped := html.EscapeString(userInput)
fmt.Fprintf(w, "<script>var x = '%s';</script>", escaped) // Still vulnerable!

// Wrong: no header injection protection
w.Header().Set("X-Custom", userInput) // Header injection!
```

**Correct (context-appropriate encoding):**

```go
import (
    "encoding/json"
    "html"
    "net/url"
    "strings"
)

// HTML content context
fmt.Fprintf(w, "<p>%s</p>", html.EscapeString(userInput))

// JavaScript context
jsData, _ := json.Marshal(userInput)
fmt.Fprintf(w, "<script>var x = %s;</script>", jsData)

// URL parameter context
urlParam := url.QueryEscape(userInput)
http.Redirect(w, r, "/search?q="+urlParam, 302)

// HTTP header context - strip CRLF
safeHeader := strings.NewReplacer("\r", "", "\n", "").Replace(userInput)
w.Header().Set("X-Custom", safeHeader)
```

**Tools:** `html/template` (handles context automatically), `gosec`
