Unsafe HTML Rendering Lab

Level 1 Client-Side Security simulation: learn why rendering unsanitized user input as raw HTML creates direct injection risk.

Beginner

Client-Side Security • 20 min

This lab is a controlled simulation only. No real backend or dangerous code execution is used.

Objective 1

Review a fake rendering flow that treats user input as HTML rather than plain text.

Objective 2

Trigger the unsafe rendering state with simple HTML or a more obviously dangerous payload.

Objective 3

Understand why sanitization and output escaping are essential for safe browser rendering.

Use the input fields below to safely simulate the vulnerable behavior.

Rendered HTML Input

Fake Unsafe Renderer

Render mode: raw HTML Input preview: (none yet) Observed behavior: markup is interpreted directly

Enter user input into the unsafe renderer. The lab succeeds when the input demonstrates that raw HTML is being interpreted instead of safely escaped.

Reveal them progressively if you get stuck.

Click the hint button to reveal progressive guidance.