Hi @rwinch ,

Could you please give clarification on below. im confused with some scenarios
tried with the spring-jackson-owasp-java app , when i consume the services directly in browser i get encoded response like below:

eg: http://localhost:8080/message?p="test input"

Response : {"message":"\u0022test\u0020input\u0022"}

Clarification required:

scenario 1:
But when i debug inside the java script im not able to see this encoded value ?

scenario 2:
when the services response contain with java script it will rendering as normal text while using text method( $("#output").text(data.message); ) but while using append method ( $("#output").append(data.message); ) the response is executed as script

sample response object:

{"message":"<script> window.location.href='https://localhot:8080/app/attack' </script> "}

so my question is in this application all the character are encoded in service side except alpha numeric , but event inside the ajax call we are not seeing encoded value and also the script is executed using append function , then how it will protected from xss attack? please clarify?