Cal.com embeds are convenient, but they also create one of my least favorite frontend security situations: third-party UI mixed with app code that was never designed for hostile input. The Cal.com script itself isn’t the usual problem. The problem is everything around it: how teams build embed URLs, how they pass prefill data, how they read query params, and how they inject user-controlled values into the page next to the widget. ...
Coda embeds look harmless right up until someone treats them like “just a bit of HTML from a trusted tool.” That’s the trap. I worked on a content-heavy app where editors could paste Coda doc links and get rich embedded content in articles. Nice feature. Fast to ship. Also a clean path to XSS once the implementation drifted from “embed a known provider” into “render whatever comes back.” The bug wasn’t exotic. No browser zero-day, no weird parser edge case. Just a familiar chain of bad decisions: ...
Typeform is mostly a hosted form product, which makes people assume XSS is “their problem.” That’s only half true. If you embed Typeform into your app, pass user-controlled values into hidden fields, render Typeform responses in your own admin panel, or glue it together with custom JavaScript, XSS becomes your problem fast. I’ve seen teams lock down their main app and then casually inject Typeform data into dashboards with innerHTML. That’s how you end up with a boring form turning into a stored XSS source. ...