I'm currently doing some encoding work to protect a site from XSS attacks. We've stuck a bunch of <script>debugger;</script> tags in the db. Dispite my best efforts, the strings I've encoded to stop the debugger getting hit (to prevent an XSS attack), are still getting hit in developer tools.

Is there a chance that double encoding something could cause this to happen or is that not possible?

Thanks in advance!

Sorry I realise I've posted this in the wrong section, it's been a while since I've visited DaniWeb.

commented: OK, I moved it. +14

We solved this by adding a new method to the string object to replace any <script> tags in a string to defuse it.

This solution removes any potential script tags and will prevent any html tags from being encoded (useful when you're trying to render out html from a string.