", "' onmouseover='alert(1)'", "" ], answer: 0, rationale: "Double quotes terminate the attribute value, allowing a new event handler to be injected. Entity encoding of < and > does not prevent attribute breakout when quotes are not escaped." }, { id: 2, domainCode: "1.0", domainName: "Advanced XSS Fundamentals", question: "During testing, you find a page that stores comments and later renders them inside a script block as: var msg = 'COMMENT';. The application only escapes single quotes and backslashes. Which approach is most appropriate to achieve JavaScript execution?", options: [ "Inject a payload that closes the string and appends a new statement, such as ';alert(1);//", "Use an iframe srcdoc payload to bypass the script block", "Insert a