Sanitization

SurveyMonkey feels harmless because it’s “just forms.” That mindset gets teams into trouble. I’ve seen developers lock down their main app, then casually embed survey content, pipe responses into dashboards, send answers into admin panels, and render “custom thank you” pages with basically no output encoding. That’s how XSS sneaks in: not through the survey vendor itself, but through the glue code around it. If you use SurveyMonkey in a website, a customer portal, or an internal reporting tool, the risky parts are usually: ...

Cross-site scripting is still one of the easiest ways to turn a small rendering mistake into a full account takeover. If you build donation flows, event pages, admin dashboards, checkout forms, or email template editors like the kinds of features you’d expect around Humanitix, you’re handling user-controlled content constantly. That’s exactly where XSS shows up. The boring version of XSS advice is “escape output.” True, but too shallow to be useful. Real apps have rich text, markdown, embedded widgets, analytics snippets, query-string state, and legacy code that still pokes the DOM directly. That’s where teams get burned. ...

v-html is one of those Vue features that feels convenient right up until it becomes a security incident. If you render untrusted HTML with v-html, you are bypassing Vue’s normal escaping protections and handing the browser raw markup. That means any unsafe HTML that survives into that string can execute script, steal session data, or manipulate the page in ways you did not expect. For a developer audience, the rule is simple: ...

Squarespace is one of those platforms that feels pretty safe until you add “just a little custom code.” Then it turns into the same old web app problem: if untrusted content reaches the DOM or executable JavaScript, you can still end up with XSS. The good news: Squarespace reduces a lot of the obvious risk by controlling templates, editor workflows, and hosted infrastructure. The bad news: the moment you use Code Injection, custom blocks, third-party embeds, or sloppy client-side rendering, you can punch straight through those guardrails. ...

Cross-site scripting in Basin usually shows up the same way it does everywhere else: user-controlled data gets treated like HTML, JavaScript, or a URL in the browser. Basin doesn’t magically create XSS, but it can absolutely become the place where unsafe input is collected, stored, and later rendered back into your app. If you use Basin for forms, contact submissions, comments, support requests, or admin dashboards, you need to assume every field is hostile. Name, email, subject, message, hidden inputs, query params copied into forms — all of it. ...