Showing user input as-is can let bad code run (XSS). We prevent it by converting special characters.
What you'll learn from this poster
What XSS isInput runs as HTML / Fake buttons or snooping / Comment boxes are targets
HTML escapingConvert angle brackets, quotes / Shown as text, not executed / e.g. < becomes <
What it protectsUsers' information / Prevents impersonation / Site trust
DefensesEscape on output / Framework auto-escaping / Add CSP too
Convert special characters to block abuse
Usage: Free to print and display for learning at school or home (no sign-up). High-resolution portrait PNG (1024×1536); A3 or larger is recommended. Please do not sell, use commercially, or redistribute modified versions.