Javascript

Chat apps are XSS magnets. That is not a criticism of Stream Chat specifically — it is just the reality of any product that renders user-generated content in real time, across devices, often with rich formatting layered on top. If you use Stream Chat, the core question is not “does Stream escape content?” The real question is “where can my app accidentally turn safe chat data into executable code?” That distinction matters. I have seen teams assume the chat SDK is the security boundary, then quietly reintroduce XSS through custom message rendering, markdown, link previews, emoji plugins, or attachment handling. ...

Formspree is a nice shortcut when you want form handling without running your own backend. I’ve used it for contact forms, waitlists, and simple lead capture. It removes a lot of backend work, but it does not remove frontend security work. If you collect user input and then render it anywhere in your app, you can still create an XSS bug just as easily as with a custom form handler. ...

Typeform is mostly a hosted form product, which makes people assume XSS is “their problem.” That’s only half true. If you embed Typeform into your app, pass user-controlled values into hidden fields, render Typeform responses in your own admin panel, or glue it together with custom JavaScript, XSS becomes your problem fast. I’ve seen teams lock down their main app and then casually inject Typeform data into dashboards with innerHTML. That’s how you end up with a boring form turning into a stored XSS source. ...

Squarespace is one of those platforms that feels pretty safe until you add “just a little custom code.” Then it turns into the same old web app problem: if untrusted content reaches the DOM or executable JavaScript, you can still end up with XSS. The good news: Squarespace reduces a lot of the obvious risk by controlling templates, editor workflows, and hosted infrastructure. The bad news: the moment you use Code Injection, custom blocks, third-party embeds, or sloppy client-side rendering, you can punch straight through those guardrails. ...

ServiceNow is one of those platforms where people assume the framework will save them. Sometimes it does. Sometimes it absolutely does not. I’ve seen teams build solid workflows, ACLs, and integrations, then quietly ship stored XSS through a widget, a Jelly page, or a badly handled g_form.addInfoMessage() call. The dangerous part is that ServiceNow mixes platform abstractions with plain old web rendering. If user-controlled data lands in HTML, JavaScript, or the DOM without the right encoding, you still have the same browser-side problem you’d have in any other app. ...

Cross-site scripting in Basin usually shows up the same way it does everywhere else: user-controlled data gets treated like HTML, JavaScript, or a URL in the browser. Basin doesn’t magically create XSS, but it can absolutely become the place where unsafe input is collected, stored, and later rendered back into your app. If you use Basin for forms, contact submissions, comments, support requests, or admin dashboards, you need to assume every field is hostile. Name, email, subject, message, hidden inputs, query params copied into forms — all of it. ...

Inline scripts are one of the easiest ways to accidentally punch a hole through your XSS defenses. If you allow <script> blocks or inline event handlers without strict controls, an attacker only needs one HTML injection point to start running JavaScript in your users’ browsers. CSP hashes are one of the cleanest ways to keep a small amount of inline JavaScript while still blocking everything else. This guide is the practical version: what hashes do, when to use them, how to generate them, and the exact headers to copy and paste. ...

Cross-site scripting is one of those vulnerabilities that never really goes away. We get better frameworks, safer templating, stricter defaults, and still XSS shows up in bug bounty reports every day. The reason is simple: if an attacker can get the browser to execute JavaScript you didn’t intend to run, they can often act as the user, steal data, or pivot deeper into your app. Content Security Policy, or CSP, is one of the few browser features that can meaningfully reduce the blast radius of XSS. It is not a silver bullet. It will not magically fix unsafe HTML rendering. But a good CSP can turn “one bad escaping bug equals account takeover” into “the payload just doesn’t run.” ...

Cross-site scripting prevention gets a lot harder than it should because people hear “sanitize input” and stop there. That’s not enough. If you remember one thing from this tutorial, make it this: XSS is prevented at output time, based on the exact context where data is rendered. Output encoding is the boring, reliable workhorse of XSS defense. It’s not flashy, but it’s the thing that stops untrusted data from turning into executable HTML, JavaScript, or CSS in the browser. ...

Cross-site scripting is one of those vulnerabilities that keeps showing up because it’s fundamentally simple: untrusted data ends up in a place where the browser treats it as code. But “XSS” isn’t just one thing. In practice, you’ll usually hear about three flavors: Reflected XSS Stored XSS DOM-based XSS They all end with attacker-controlled JavaScript running in a victim’s browser, but the way the payload gets there matters a lot for both exploitation and prevention. ...