XSS in Shopify Liquid Templates: What Actually Breaks
Shopify developers often assume Liquid gives them automatic XSS protection. That assumption is where trouble starts. Liquid does help, but only in very specific contexts. The moment you move data from HTML text into attributes, JavaScript, JSON, URLs, or raw HTML blocks, the safety story changes fast. I’ve seen plenty of themes that look clean at first glance and still leave enough room for script injection through product data, metafields, cart attributes, or section settings. ...