XSS in Jekyll Templates: Where Static Sites Go Wrong
Jekyll is a static site generator, which makes people assume it’s automatically safe from XSS. That’s a bad assumption. Static output can still ship dangerous HTML and JavaScript to every visitor. If untrusted content gets into your templates, markdown, front matter, data files, or generated JSON, you can absolutely create stored XSS in a Jekyll site. The fact that the site is “just files” doesn’t help once the browser starts parsing them. ...