2,86d1 < escape: not used < UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? < BlahJs: quote ' backslash \ semicolon ; end tag < Title: < < < escape: none < UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? < BlahJs: quote ' backslash \ semicolon ; end tag < Title: < < < < escape: html < UrlArg: Secret Password~!@#$%^&*()+=-_|\[]{}:";'<>,.? < BlahJs: quote ' backslash \ semicolon ; end tag </script> < Title: </title><script>alert(1)</script> < < < < escape: js < UrlArg: Secret Password~!@#$%^\x26*()+=-_|\x5C[]{}:\x22\x3B\x27\x3C\x3E,.? < BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < Title: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3E < < < < escape: url < UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F < BlahJs: quote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E < Title: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E < < < < Nested escaping: html < The internal calls should take precedence < url -> UrlArg: Secret+Password%7E!%40%23%24%25%5E%26*()%2B%3D-_%7C%5C%5B%5D%7B%7D%3A%22%3B%27%3C%3E%2C.%3F < js -> BlahJs: quote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < html -> Title: </title><script>alert(1)</script> < < < Defining the macro echo_all inside of a "html" escape. < < < Calling echo_all() macro: < < not used: quote ' backslash \ semicolon ; end tag < none: quote ' backslash \ semicolon ; end tag < url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E < js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> < < < < Calling echo_all() macro from within "html": < < not used: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> < none: quote ' backslash \ semicolon ; end tag < url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E < js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> < < < < < Calling echo_all() macro from within "js": < < not used: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < none: quote ' backslash \ semicolon ; end tag < url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E < js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> < < < < < Calling echo_all() macro from within "url": < < not used: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E < none: quote ' backslash \ semicolon ; end tag < url: %3C%2Ftitle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3Equote+%27+backslash+%5C+semicolon+%3B+end+tag+%3C%2Fscript%3E < js: \x3C\x2Ftitle\x3E\x3Cscript\x3Ealert(1)\x3C\x2Fscript\x3Equote \x27 backslash \x5C semicolon \x3B end tag \x3C\x2Fscript\x3E < html: </title><script>alert(1)</script>quote ' backslash \ semicolon ; end tag </script> < <