XSS Mistakes in ToolJet Apps and How to Fix Them
ToolJet is great for shipping internal tools fast. That speed is also exactly why people end up shipping XSS bugs fast. I’ve seen the same pattern over and over: a team treats ToolJet like a safe abstraction layer, assumes the platform handles all rendering risks, then mixes user input into HTML, JavaScript, or query results. Now the “internal tool” is running arbitrary script in an admin’s browser. That’s still XSS. Internal apps still hold production data, admin sessions, API tokens, and enough privileges to ruin your week. ...