XSS in WeChat Mini-Programs: Risks, Tradeoffs, Fixes
WeChat mini-programs look like web apps, smell like web apps, and absolutely still give teams a false sense of security around XSS. I’ve seen this mistake a lot: a team assumes “it’s not running in a normal browser, so classic XSS doesn’t really apply.” That’s the wrong mental model. The attack surface is different, the rendering model is more constrained, and some browser features are missing, but untrusted data is still untrusted data. If your mini-program renders attacker-controlled content, builds templates carelessly, or bridges unsafe data into native-like APIs, you can still end up with script injection, UI redress issues, data theft, or malicious action execution. ...