In Chrome's developer tools, you can use Control+F (or Command+F on MacOS) to search the DOM for your string. We want to hear from you! Therefore, the primary recommendation is to avoid including untrusted data in this context. In addition, WAFs also miss a class of XSS vulnerabilities that operate exclusively client-side. In JavaScript code, the main context is JavaScript but with the right tags and context closing characters, an attacker can try to attack the other 4 contexts using equivalent JavaScript DOM methods. \u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074, \u0077\u0072\u0069\u0074\u0065\u006c\u006e, "\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064", "\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0031\u0029", "url(<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForURL(companyName))%>)", '<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForURL(userRelativePath))%>', "<%= Encode.forJavaScript(untrustedData) %>", "<%=ESAPI.encoder().encodeForJavascript(untrustedData)%>", "customFunction('<%=doubleJavaScriptEncodedData%>', y)", //HTML encoding is happening in JavaScript, "javascript:myFunction('<%=untrustedData%>', 'test');", "javascript:myFunction('<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForURL(untrustedData)) %>', 'test');",