Posts

Carrd is deceptively simple. That’s why people get sloppy with it. You drag in text, forms, embeds, maybe a custom code block, publish, and move on. From an XSS perspective, that “simple landing page builder” can still become a script execution surface if you treat every HTML box, embed, and third-party widget like a safe sandbox. It isn’t. This guide is the practical version: where XSS shows up in Carrd, what Carrd does and doesn’t protect you from, and what to actually paste into your setup. ...

Cal.com embeds are convenient, but they also create one of my least favorite frontend security situations: third-party UI mixed with app code that was never designed for hostile input. The Cal.com script itself isn’t the usual problem. The problem is everything around it: how teams build embed URLs, how they pass prefill data, how they read query params, and how they inject user-controlled values into the page next to the widget. ...

Trusted Types is one of the few browser security features that actually changes developer behavior in a useful way. I like it because it goes after a common failure mode in front-end code: taking strings from somewhere untrusted and shoving them into dangerous DOM APIs like innerHTML, outerHTML, insertAdjacentHTML, or eval-adjacent sinks. That is exactly how a lot of DOM XSS happens in real apps. The short version: Trusted Types turns dangerous string-based DOM injection into a type-checked operation. Instead of passing raw strings into risky sinks, you pass special objects like TrustedHTML, usually created by a policy that sanitizes or validates the content first. ...

Shopify developers often assume Liquid gives them automatic XSS protection. That assumption is where trouble starts. Liquid does help, but only in very specific contexts. The moment you move data from HTML text into attributes, JavaScript, JSON, URLs, or raw HTML blocks, the safety story changes fast. I’ve seen plenty of themes that look clean at first glance and still leave enough room for script injection through product data, metafields, cart attributes, or section settings. ...

Qwik does a lot right for security by default, but “by default” is where people get lazy. I’ve seen teams assume that because they’re using a modern framework, XSS is basically handled. Then somebody adds raw HTML rendering for a CMS snippet, builds a cute dynamic link component, or injects JSON into the page during SSR, and now the app has a very old-school bug wearing a very modern outfit. ...

Third-party JavaScript is one of the fastest ways to lose control of your frontend security. Analytics, chat widgets, A/B testing tools, tag managers, ad scripts, embedded dashboards — they all run with your page’s privileges unless you isolate them. If one gets compromised, your users see the blast radius, not the vendor. From the browser’s point of view, that script is your code. This is the part many teams get wrong: XSS is not only about your own unsafe innerHTML. It is also about every script you allow to execute in your origin. ...

v-html is one of those Vue features that feels convenient right up until it becomes a security incident. If you render untrusted HTML with v-html, you are bypassing Vue’s normal escaping protections and handing the browser raw markup. That means any unsafe HTML that survives into that string can execute script, steal session data, or manipulate the page in ways you did not expect. For a developer audience, the rule is simple: ...

DOM clobbering is one of those bugs frontend teams accidentally create while thinking they are dealing with “just HTML”. Then it turns into script execution, broken security assumptions, or both. The short version: browsers expose some elements with id or name values as properties on global objects like window and sometimes on forms. If your JavaScript trusts those properties, an attacker can inject markup that overwrites what your code thinks is a safe variable, config object, or URL. That often becomes XSS. ...

Coda embeds look harmless right up until someone treats them like “just a bit of HTML from a trusted tool.” That’s the trap. I worked on a content-heavy app where editors could paste Coda doc links and get rich embedded content in articles. Nice feature. Fast to ship. Also a clean path to XSS once the implementation drifted from “embed a known provider” into “render whatever comes back.” The bug wasn’t exotic. No browser zero-day, no weird parser edge case. Just a familiar chain of bad decisions: ...

Chat apps are XSS magnets. That is not a criticism of Stream Chat specifically — it is just the reality of any product that renders user-generated content in real time, across devices, often with rich formatting layered on top. If you use Stream Chat, the core question is not “does Stream escape content?” The real question is “where can my app accidentally turn safe chat data into executable code?” That distinction matters. I have seen teams assume the chat SDK is the security boundary, then quietly reintroduce XSS through custom message rendering, markdown, link previews, emoji plugins, or attachment handling. ...