Can You XSS This?

This arena aims to answer the age-old question: Whose XSS prevention reigns supreme? To realize this dream, we have assembled the top anti-XSS libraries and will pit them against one another! We await the challenges of hackers from around the world!

If you defeat one of these libraries, your name will be inscribed on this site as one of the great hackers of all time!

Sanitizers - Use these if your input needs to include HTML

HTMLSanitizer (rev 90)

A fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. HTMLSanitizer works by removing dangerous or unwanted tags and attributes from input and is suitable for places where HTML user input is required.
Try HTMLSanitizer now! Go to project website.


The OWASP AntiSamy project is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Try AntiSamy Now!
Go to project website.


jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods.
Test coming soon. Go to project website.

Encoders - Encode non-HTML input for different contexts

OWASP Encoder (v1.0)

A a simple-to-use drop-in encoder designed for high-availability/high-performance encoding functionality. No third party libraries or configuration necessary.
Try OWASP Encoder now! Go to project website.