XSS in Power Apps: A Real-World Fix
Power Apps gets sold as “low code,” which makes some teams assume “low risk.” That’s a mistake. I’ve seen Power Apps deployments where the frontend looked harmless, the data lived in Dataverse or SharePoint, and the team still shipped stored XSS because someone rendered user-controlled HTML inside an app component. The platform gives you a lot of guardrails, but the moment you start mixing user input, HTML text controls, custom pages, PCF components, embedded web resources, or data flowing in from Power Automate, you can absolutely create a mess. ...