XSS in Salesforce Lightning: Risks, Defenses, Tradeoffs
Salesforce Lightning gives you more XSS protection than a typical front-end stack. That’s the good news. The bad news: people hear “Salesforce sanitizes things” and stop thinking like attackers. That’s how XSS bugs survive in Lightning apps. If you build on Salesforce, the real question isn’t “does Lightning prevent XSS?” It’s “which layer is protecting me right now, and what breaks when I bypass it?” The answer changes depending on whether you’re in Aura, Lightning Web Components, Visualforce embedded in Lightning, or a third-party script trying to do clever stuff. ...