React

Chat apps are XSS magnets. That is not a criticism of Stream Chat specifically — it is just the reality of any product that renders user-generated content in real time, across devices, often with rich formatting layered on top. If you use Stream Chat, the core question is not “does Stream escape content?” The real question is “where can my app accidentally turn safe chat data into executable code?” That distinction matters. I have seen teams assume the chat SDK is the security boundary, then quietly reintroduce XSS through custom message rendering, markdown, link previews, emoji plugins, or attachment handling. ...

Cross-site scripting in React and Next.js is one of those topics that sounds simpler than it really is. A lot of developers hear “React escapes output by default” and mentally file XSS away as mostly solved. That’s true right up until you touch dangerouslySetInnerHTML, render CMS content, build a markdown feature, pass untrusted values into URLs, or mix server and client rendering in ways that make assumptions drift. The good news: React and Next.js give you a strong baseline. The bad news: they do not make you XSS-proof automatically. ...