Posts

Cross-site scripting is still one of the easiest ways to turn a small rendering mistake into a full account takeover. If you build donation flows, event pages, admin dashboards, checkout forms, or email template editors like the kinds of features you’d expect around Humanitix, you’re handling user-controlled content constantly. That’s exactly where XSS shows up. The boring version of XSS advice is “escape output.” True, but too shallow to be useful. Real apps have rich text, markdown, embedded widgets, analytics snippets, query-string state, and legacy code that still pokes the DOM directly. That’s where teams get burned. ...

I’ve worked on enough legacy jQuery codebases to know how XSS sneaks in: not through one giant mistake, but through dozens of “harmless” shortcuts. A team I helped had a customer support dashboard built over several years. Classic jQuery app. Server-rendered shell, lots of AJAX fragments, user comments, admin notes, profile fields, search terms reflected back into the UI. Everything felt normal until a security review found stored and reflected XSS in multiple places. ...

A few years ago, I helped clean up a customer support dashboard that had a “small” XSS bug nobody took seriously. The team’s first reaction was predictable: “So what? Our session cookie is SameSite=Lax. We’re fine.” They weren’t fine. The attacker didn’t need anything fancy. They found a stored XSS bug in an internal comments feature, dropped in a payload, and every support agent who viewed that ticket executed attacker-controlled JavaScript in their browser. The original fear was cookie theft, but the real damage was bigger: account actions, data extraction, and session abuse. Cookie theft was just the easiest thing to explain to the team. ...

Electron gives web developers a fast path to desktop apps. That speed comes with a nasty tradeoff: an XSS bug in Electron can become a local code execution bug if you wire things carelessly. That’s the core difference from browser-only XSS. In a normal website, XSS usually means session theft, UI redressing, or data exfiltration. In Electron, XSS can cross the line into filesystem access, shell execution, credential theft, and full app compromise. ...

Softr sits in an awkward but very common security category: “low-code platform that feels safe until someone pastes HTML into it.” That’s not a knock on Softr specifically. Every builder that mixes structured content, embeds, and optional custom code ends up with the same XSS questions: Can users inject script? Can admins accidentally create script sinks? Does the platform escape content consistently? What happens when teams add custom JavaScript, embeds, or third-party widgets? If you build on Softr, the XSS story is less about one dramatic platform flaw and more about understanding where the platform helps you, where it gets out of your way, and where you can still hurt yourself. ...

Prototype pollution is one of those bug classes that sounds academic until you watch it turn a harmless config object into script execution. For a developer audience, the useful question is not “what is prototype pollution?” You probably already know the basics. The better question is: when does prototype pollution actually become XSS, and how does that compare to more direct XSS paths? That comparison matters because prototype pollution is rarely the last bug in the chain. It is usually the force multiplier. ...

Netlify Forms are convenient, but they create a classic security trap: teams treat form submissions like harmless content, then render them in dashboards, emails, thank-you pages, or admin tools without thinking about XSS. That’s where things go sideways. Netlify handles submission collection. It does not magically make user input safe to render as HTML. If someone submits <img src=x onerror=alert(1)>, that payload is still just attacker-controlled input. The XSS happens later, when your code inserts that input into the DOM unsafely. ...

WordPress theme code is where a lot of XSS bugs quietly survive for years. I’ve seen the same pattern over and over: the plugin gets blamed, the CMS gets blamed, but the actual issue lives in a theme template that prints user-controlled data with zero escaping. Theme developers often focus on layout, custom fields, menus, search forms, AJAX helpers, and admin options. Security ends up as an afterthought. The awkward part is that WordPress already gives you solid escaping and sanitization APIs. Most theme XSS bugs happen because developers either skip them or use the wrong one in the wrong context. ...

ToolJet is great for shipping internal tools fast. That speed is also exactly why people end up shipping XSS bugs fast. I’ve seen the same pattern over and over: a team treats ToolJet like a safe abstraction layer, assumes the platform handles all rendering risks, then mixes user input into HTML, JavaScript, or query results. Now the “internal tool” is running arbitrary script in an admin’s browser. That’s still XSS. Internal apps still hold production data, admin sessions, API tokens, and enough privileges to ruin your week. ...

Salesforce Lightning gives you more XSS protection than a typical front-end stack. That’s the good news. The bad news: people hear “Salesforce sanitizes things” and stop thinking like attackers. That’s how XSS bugs survive in Lightning apps. If you build on Salesforce, the real question isn’t “does Lightning prevent XSS?” It’s “which layer is protecting me right now, and what breaks when I bypass it?” The answer changes depending on whether you’re in Aura, Lightning Web Components, Visualforce embedded in Lightning, or a third-party script trying to do clever stuff. ...