---
title: Output Encoding Before Interpreter Use
impact: HIGH
impactDescription: prevents XSS and injection attacks
tags: xss, encoding, output, html, security
---
## Output Encoding Before Interpreter Use
XSS and injection attacks occur when unescaped user data is interpreted by browsers or other systems.
**Incorrect (no encoding):**
```typescript
// XSS vulnerability
app.get('/search', (req, res) => {
const query = req.query.q;
res.send(`Results for: ${query}
`); // XSS!
});
// React dangerouslySetInnerHTML without sanitization
```
**Correct (context-aware encoding):**
```typescript
import { escape } from 'html-escaper';
import DOMPurify from 'dompurify';
// HTML context
app.get('/search', (req, res) => {
const query = escape(req.query.q);
res.send(`Results for: ${query}
`);
});
// React - use JSX (auto-escapes)
Results for: {query}
// If HTML is needed, sanitize first
const cleanHtml = DOMPurify.sanitize(userContent);
// URL context
const safeUrl = encodeURIComponent(userInput);
// JavaScript context
const safeJson = JSON.stringify(userData);
```
**Encoding by Context:**
| Context | Encoding |
|---------|----------|
| HTML body | `<`, `>`, `&` |
| HTML attribute | Encode quotes |
| JavaScript | JSON.stringify() |
| URL | encodeURIComponent() |
**Tools:** SonarQube (S5131), Semgrep, ESLint