[pitboss] phase 02: M2 — Python end-to-end excellence with all hardening baked in

tests/dynamic_fixtures/python/xss_negative.py

@@ -0,0 +1,12 @@
+"""XSS — negative fixture.
+
+Safe function: uses html.escape() before rendering.
+Expected verdict: NotConfirmed (script tag escaped to <script>).
+"""
+import html
+
+
+def render_comment(user_input):
+    """Safe: HTML-escapes user input before rendering."""
+    safe = html.escape(user_input)
+    print(f"<div class='comment'>{safe}</div>")