Advanced Encoding Scenarios

URL encoding contexts require special attention because URLs can appear in various places within HTML, each with different security implications. When encoding for URL parameters, spaces become %20, special characters get percent-encoded, and the encoding must preserve the URL structure. However, when URLs appear in JavaScript strings or HTML attributes, they need additional context-appropriate encoding on top of URL encoding. The complexity multiplies when dealing with data: URLs or javascript: pseudo-protocols that browsers execute as code.

CSS contexts, though less common, present unique encoding challenges. When user data appears within CSS, whether in style attributes or style blocks, it requires CSS-specific encoding. This includes encoding parentheses, quotes, and backslashes that could break out of CSS contexts. More critically, older browsers supported JavaScript execution within CSS through expressions and other mechanisms, making CSS contexts particularly dangerous in applications supporting legacy browsers.

Modern template engines handle most encoding automatically, but developers must understand when manual encoding is necessary. Edge cases like dynamically generating JavaScript, constructing URLs from multiple sources, or building HTML strings in JavaScript often require manual encoding. Create utility functions for these scenarios that handle encoding consistently. Test these functions thoroughly with known XSS payloads to ensure they provide adequate protection.