nyx/tests/dynamic_fixtures/python/xss_negative.py

"""XSS — negative fixture.

Safe function: uses html.escape() before rendering.
Expected verdict: NotConfirmed (script tag escaped to &lt;script&gt;).
"""
import html


def render_comment(user_input):
    """Safe: HTML-escapes user input before rendering."""
    safe = html.escape(user_input)
    print(f"<div class='comment'>{safe}</div>")
[pitboss] phase 02: M2 — Python end-to-end excellence with all hardening baked in 2026-05-11 22:56:43 -04:00			`"""XSS — negative fixture.`

			`Safe function: uses html.escape() before rendering.`
			`Expected verdict: NotConfirmed (script tag escaped to <script>).`
			`"""`
			`import html`


			`def render_comment(user_input):`
			`"""Safe: HTML-escapes user input before rendering."""`
			`safe = html.escape(user_input)`
			`print(f"<div class='comment'>{safe}</div>")`