Skill Wiki
Encode Output By Context
Untrusted data rendered into HTML must be encoded for the specific syntactic context where it lands: HTML body, HTML attribute, JavaScript string, URL, CSS value.…
$ prime install @security/rule-encode-output-by-contextProjection
Always in _index.xml · the agent never has to ask for this.
EncodeOutputByContext [rule] v0.1.0
Untrusted data rendered into HTML must be encoded for the specific syntactic context where it lands: HTML body, HTML attribute, JavaScript string, URL, CSS value. Use the templating engine's auto-escaping; never disable it for untrusted content. The wrong encoder for the context is no encoder.
Loaded when retrieval picks the atom as adjacent / supporting.
EncodeOutputByContext [rule] v0.1.0
Untrusted data rendered into HTML must be encoded for the specific syntactic context where it lands: HTML body, HTML attribute, JavaScript string, URL, CSS value. Use the templating engine's auto-escaping; never disable it for untrusted content. The wrong encoder for the context is no encoder.
Checks
- HTML body context: encode
<,>,&,",'(use the framework's HTML escaper). - HTML attribute context: same as body PLUS quote the attribute and encode the quote character.
- JavaScript string literal context: hex-escape
\xHHnon-alphanumerics; never inject untrusted data into a<script>block at all if avoidable. - URL context: percent-encode then validate the resulting URL is http/https.
- CSS value context: hex-escape
\HHnon-alphanumerics; only allow inside known-safe properties. - Templating engine auto-escape on by default; manual
unsafe/raw/safemarkers reviewed individually with comment.
Label
Encode untrusted data at the output sink, in the right context
Loaded when retrieval picks the atom as a focal / direct hit.
EncodeOutputByContext [rule] v0.1.0
Untrusted data rendered into HTML must be encoded for the specific syntactic context where it lands: HTML body, HTML attribute, JavaScript string, URL, CSS value. Use the templating engine's auto-escaping; never disable it for untrusted content. The wrong encoder for the context is no encoder.
Checks
- HTML body context: encode
<,>,&,",'(use the framework's HTML escaper). - HTML attribute context: same as body PLUS quote the attribute and encode the quote character.
- JavaScript string literal context: hex-escape
\xHHnon-alphanumerics; never inject untrusted data into a<script>block at all if avoidable. - URL context: percent-encode then validate the resulting URL is http/https.
- CSS value context: hex-escape
\HHnon-alphanumerics; only allow inside known-safe properties. - Templating engine auto-escape on by default; manual
unsafe/raw/safemarkers reviewed individually with comment.
Label
Encode untrusted data at the output sink, in the right context
Label
Encode untrusted data at the output sink, in the right context
Source
prime-system/examples/security-appsec/primes/compiled/@security/rule-encode-output-by-context/atom.yaml