Encode, decode and test XSS payloads in multiple formats for security research and education. Includes a common payload library and safe sandboxed preview.
🔒 Security Tools
Free
Browser-based
Tool
⚠ Educational tool only. Use these payloads only in environments you own or have explicit permission to test. Cross-site scripting attacks against systems without authorization are illegal.
Encoded Variants
Original
HTML Entities
URL Encoded
Double URL
Base64
Hex Escaped
Unicode Esc
Safe Sandboxed Preview (sandboxed iframe — JavaScript is blocked)
Common XSS Payload Library
Click any payload to load it into the editor
Basic Alert
Attribute Injection
Yes. The preview uses a sandboxed iframe without the allow-scripts permission. This means JavaScript cannot execute — you can see how the HTML is rendered without any XSS risk. Do not test payloads in unsandboxed browsers or real applications without authorization.
No. All encoding and preview runs locally in your browser. Your payloads are never sent anywhere.
Testing for XSS on systems you do not own or have explicit written authorization for is illegal in most jurisdictions (e.g. Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK). This tool is for authorized security testing and education only.
Use context-aware output encoding (HTML entities for HTML context, URL encoding for URL context). Implement a strict Content Security Policy (CSP). Use modern frameworks that auto-escape by default. Validate and sanitize all user input server-side.