Javascript

Softr sits in an awkward but very common security category: “low-code platform that feels safe until someone pastes HTML into it.” That’s not a knock on Softr specifically. Every builder that mixes structured content, embeds, and optional custom code ends up with the same XSS questions: Can users inject script? Can admins accidentally create script sinks? Does the platform escape content consistently? What happens when teams add custom JavaScript, embeds, or third-party widgets? If you build on Softr, the XSS story is less about one dramatic platform flaw and more about understanding where the platform helps you, where it gets out of your way, and where you can still hurt yourself. ...

Prototype pollution is one of those bug classes that sounds academic until you watch it turn a harmless config object into script execution. For a developer audience, the useful question is not “what is prototype pollution?” You probably already know the basics. The better question is: when does prototype pollution actually become XSS, and how does that compare to more direct XSS paths? That comparison matters because prototype pollution is rarely the last bug in the chain. It is usually the force multiplier. ...

Netlify Forms are convenient, but they create a classic security trap: teams treat form submissions like harmless content, then render them in dashboards, emails, thank-you pages, or admin tools without thinking about XSS. That’s where things go sideways. Netlify handles submission collection. It does not magically make user input safe to render as HTML. If someone submits <img src=x onerror=alert(1)>, that payload is still just attacker-controlled input. The XSS happens later, when your code inserts that input into the DOM unsafely. ...

ToolJet is great for shipping internal tools fast. That speed is also exactly why people end up shipping XSS bugs fast. I’ve seen the same pattern over and over: a team treats ToolJet like a safe abstraction layer, assumes the platform handles all rendering risks, then mixes user input into HTML, JavaScript, or query results. Now the “internal tool” is running arbitrary script in an admin’s browser. That’s still XSS. Internal apps still hold production data, admin sessions, API tokens, and enough privileges to ruin your week. ...

Carrd is deceptively simple. That’s why people get sloppy with it. You drag in text, forms, embeds, maybe a custom code block, publish, and move on. From an XSS perspective, that “simple landing page builder” can still become a script execution surface if you treat every HTML box, embed, and third-party widget like a safe sandbox. It isn’t. This guide is the practical version: where XSS shows up in Carrd, what Carrd does and doesn’t protect you from, and what to actually paste into your setup. ...

Cal.com embeds are convenient, but they also create one of my least favorite frontend security situations: third-party UI mixed with app code that was never designed for hostile input. The Cal.com script itself isn’t the usual problem. The problem is everything around it: how teams build embed URLs, how they pass prefill data, how they read query params, and how they inject user-controlled values into the page next to the widget. ...

Trusted Types is one of the few browser security features that actually changes developer behavior in a useful way. I like it because it goes after a common failure mode in front-end code: taking strings from somewhere untrusted and shoving them into dangerous DOM APIs like innerHTML, outerHTML, insertAdjacentHTML, or eval-adjacent sinks. That is exactly how a lot of DOM XSS happens in real apps. The short version: Trusted Types turns dangerous string-based DOM injection into a type-checked operation. Instead of passing raw strings into risky sinks, you pass special objects like TrustedHTML, usually created by a policy that sanitizes or validates the content first. ...

Third-party JavaScript is one of the fastest ways to lose control of your frontend security. Analytics, chat widgets, A/B testing tools, tag managers, ad scripts, embedded dashboards — they all run with your page’s privileges unless you isolate them. If one gets compromised, your users see the blast radius, not the vendor. From the browser’s point of view, that script is your code. This is the part many teams get wrong: XSS is not only about your own unsafe innerHTML. It is also about every script you allow to execute in your origin. ...

DOM clobbering is one of those bugs frontend teams accidentally create while thinking they are dealing with “just HTML”. Then it turns into script execution, broken security assumptions, or both. The short version: browsers expose some elements with id or name values as properties on global objects like window and sometimes on forms. If your JavaScript trusts those properties, an attacker can inject markup that overwrites what your code thinks is a safe variable, config object, or URL. That often becomes XSS. ...

Coda embeds look harmless right up until someone treats them like “just a bit of HTML from a trusted tool.” That’s the trap. I worked on a content-heavy app where editors could paste Coda doc links and get rich embedded content in articles. Nice feature. Fast to ship. Also a clean path to XSS once the implementation drifted from “embed a known provider” into “render whatever comes back.” The bug wasn’t exotic. No browser zero-day, no weird parser edge case. Just a familiar chain of bad decisions: ...