XSS in Slack Apps: Where It Shows Up and How to Stop It
Slack apps feel safer than regular web apps at first glance. A lot of UI is rendered by Slack, not by your own frontend, so the usual DOM-based XSS panic seems less relevant. That feeling is only half true. Slack apps still get XSS in a few predictable places: web dashboards for app config OAuth install flows message content reflected into your own admin UI link unfurl previews rendered by your backend Home tabs or modals when developers mix trusted Slack fields with untrusted external data any custom web view opened from a Slack app The tricky part is that Slack removes some classes of frontend mistakes while leaving others completely intact. So the right question is not “can Slack apps get XSS?” It’s “which Slack surfaces reduce XSS risk, and which ones just move it somewhere else?” ...