<!DOCTYPE html> <html lang="en"> <head> <meta content="width=device-width, initial-scale=1" name="viewport"> <title>XSS a UTF-16 demo</title> </head> <body> <h1>XSS a UTF-16 demo</h1> <p>You should never, ever render user-supplied content as UTF-16 on the Web. Fortunately, the defense is easy: Always serve UTF-8. Here s a demo of the exploit:</p> <p>Here is some mojibake. To fix it, use the character encoding menu to choose another encoding.</p> <p> </p> </body> </html>