Escape Output
Escape all dynamic output to prevent XSS attacks
CLAUDE.md
Escape all dynamic output rendered in HTML, JavaScript, or CSS contexts. Use your framework’s built-in escaping. Never insert user-provided content with innerHTML or dangerouslySetInnerHTML.
Copy this block into your CLAUDE.md or agent config file to enforce it in your workflow.