XSS Payload Encoder

Encode XSS payloads for security testing with HTML, URL, JS, and hex encoding.

Encode XSS payloads for security testing and learn how to properly sanitize user input. For authorized penetration testing and educational purposes only.

Common Payloads

Input Payload

Encoded Output

&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

Prevention Tips

Always encode output using context-aware encoding (HTML, URL, JS)
Use Content-Security-Policy headers to restrict inline scripts
Sanitize input on the server side — never trust client-side validation alone
Use frameworks that auto-escape by default (React, Angular, Vue)