1 · Four ways to put untrusted HTML on the page

A comment, a profile bio, a Markdown render — untrusted HTML reaching the DOM. Pick a payload, choose how you'd insert it, and see the resulting markup, a script-disabled preview, and a static analysis of what would execute. safe lab Nothing here runs: payloads are parsed inside an inert <template> and previewed in a sandbox iframe with scripts off.

Resulting markup written to the DOM

        
Script-disabled preview (what a user sees)

        
        
Rendered with sandbox (no allow-scripts) — handlers can't fire here even when the markup is dangerous.

        

      

    

  


  
  

    
2 · Mutation XSS — the parser rewrites your "clean" string

    

      The subtle one. A sanitizer cleans an HTML string; then the browser re-parses
      it when it hits the DOM — and the parser can mutate the tree, resurrecting markup that looked
      inert. This panel parses your input, serializes it back, then parses again, and flags when the
      round-trip changes the markup. That delta is where mXSS lives.
    

    

      

        

          
          
        

        

          
          
          
        

      

      

        
After parse #1 → serialize

        

        
After re-parse #2 → serialize