diff --git a/files/en-us/web/security/attacks/xss/django-output.png b/files/en-us/web/security/attacks/xss/django-output.png
deleted file mode 100644
index 3be4d822cdde167..000000000000000
Binary files a/files/en-us/web/security/attacks/xss/django-output.png and /dev/null differ
diff --git a/files/en-us/web/security/attacks/xss/index.md b/files/en-us/web/security/attacks/xss/index.md
index f7b05ca6d48995f..c3066f22a4d91ae 100644
--- a/files/en-us/web/security/attacks/xss/index.md
+++ b/files/en-us/web/security/attacks/xss/index.md
@@ -154,9 +154,9 @@ This is the appropriate choice when you want to treat input as text, for example
You searched for \{{ search_term }}.
```
-Most modern templating engines automatically perform output encoding. For example, if you pass `
` into the Django template above, it will be rendered as text:
+Most modern templating engines automatically perform output encoding. For example, if you pass `` into the Django template above, it will be rendered as text:
-
+> You searched for <img src=x onerror=alert('XSS!')>.
Similarly, if you're doing client-side rendering with React, values embedded in JSX are automatically encoded. For example, consider a JSX component like this:
@@ -164,13 +164,13 @@ Similarly, if you're doing client-side rendering with React, values embedded in
import React from "react";
export function App(props) {
- return Hello, {props.name}
;
+ return Hello, {props.name}!
;
}
```
-If we pass `` into `props.name`, it will be rendered as:
+If we pass `` into `props.name`, it will be rendered as:
-
+> Hello, <img src=x onerror=alert('XSS!')>!
One of the most important parts of preventing XSS attacks is to use a well-regarded templating engine which performs robust output encoding, and read its documentation to understand any caveats about the protection it offers.
diff --git a/files/en-us/web/security/attacks/xss/jsx-output.png b/files/en-us/web/security/attacks/xss/jsx-output.png
deleted file mode 100644
index fff980b23b70b32..000000000000000
Binary files a/files/en-us/web/security/attacks/xss/jsx-output.png and /dev/null differ