Unsafe input:
Safe input:
Unsafe input with output escaping:
Example XSS attack strings:
<script>alert(1)</script>
<img src="x"; onerror="alert(1)">
script-src-attr