Web applications consume data from different inputs. Some of these inputs originate from untrusted sources, such as user inputs which will be rendered in browsers or browser-based applications such as mobile apps. Many applications with these functions are subject to cross-site scripting attacks (XSS), as injected malicious inputs can cause undesired remote code execution in browsers.The prevalence of these script injection attacks is due to a mixture of data and code in web pages. To prevent such Cross Site Scripting (XSS) attacks, one of the most common security attacks today, web applications should sanitize untrusted data using output encoding functions before displaying them on web pages. To successfully prevent XSS attacks, the encoding must match the context in which untrusted data appears, such as HTML body, JavaScript, and style sheets. A common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable.I introduce a security unit testing approach to detect XSS vulnerabilities caused by improper encoding of untrusted data. Unit tests for the XSS vulnerability are constructed out of each web page and then evaluated by a unit test execution framework. A grammar-based attack generator is devised to automatically generate test inputs. I also introduce a vulnerability repair technique that can automatically fix detected vulnerabilities in many situations. Evaluation of this approach has been conducted on an open source medical record application written in JSP.