nyx/tests/dynamic_fixtures/python/xss_positive.py

"""XSS — positive fixture.

Vulnerable function: echoes user input directly into HTML without escaping.
Expected verdict: Confirmed (XSS payload echoed verbatim to output).
"""


def render_comment(user_input):
    """Vulnerable: no HTML escaping."""
    html = f"<div class='comment'>{user_input}</div>"
    print(html)
[pitboss] phase 02: M2 — Python end-to-end excellence with all hardening baked in 2026-05-11 22:56:43 -04:00			`"""XSS — positive fixture.`

			`Vulnerable function: echoes user input directly into HTML without escaping.`
			`Expected verdict: Confirmed (XSS payload echoed verbatim to output).`
			`"""`


			`def render_comment(user_input):`
			`"""Vulnerable: no HTML escaping."""`
			`html = f"<div class='comment'>{user_input}</div>"`
			`print(html)`