Web-Security

Trusted Types is one of the few browser security features that actually changes developer behavior in a useful way. I like it because it goes after a common failure mode in front-end code: taking strings from somewhere untrusted and shoving them into dangerous DOM APIs like innerHTML, outerHTML, insertAdjacentHTML, or eval-adjacent sinks. That is exactly how a lot of DOM XSS happens in real apps. The short version: Trusted Types turns dangerous string-based DOM injection into a type-checked operation. Instead of passing raw strings into risky sinks, you pass special objects like TrustedHTML, usually created by a policy that sanitizes or validates the content first. ...

Shopify developers often assume Liquid gives them automatic XSS protection. That assumption is where trouble starts. Liquid does help, but only in very specific contexts. The moment you move data from HTML text into attributes, JavaScript, JSON, URLs, or raw HTML blocks, the safety story changes fast. I’ve seen plenty of themes that look clean at first glance and still leave enough room for script injection through product data, metafields, cart attributes, or section settings. ...

Qwik does a lot right for security by default, but “by default” is where people get lazy. I’ve seen teams assume that because they’re using a modern framework, XSS is basically handled. Then somebody adds raw HTML rendering for a CMS snippet, builds a cute dynamic link component, or injects JSON into the page during SSR, and now the app has a very old-school bug wearing a very modern outfit. ...

Third-party JavaScript is one of the fastest ways to lose control of your frontend security. Analytics, chat widgets, A/B testing tools, tag managers, ad scripts, embedded dashboards — they all run with your page’s privileges unless you isolate them. If one gets compromised, your users see the blast radius, not the vendor. From the browser’s point of view, that script is your code. This is the part many teams get wrong: XSS is not only about your own unsafe innerHTML. It is also about every script you allow to execute in your origin. ...

DOM clobbering is one of those bugs frontend teams accidentally create while thinking they are dealing with “just HTML”. Then it turns into script execution, broken security assumptions, or both. The short version: browsers expose some elements with id or name values as properties on global objects like window and sometimes on forms. If your JavaScript trusts those properties, an attacker can inject markup that overwrites what your code thinks is a safe variable, config object, or URL. That often becomes XSS. ...

Coda embeds look harmless right up until someone treats them like “just a bit of HTML from a trusted tool.” That’s the trap. I worked on a content-heavy app where editors could paste Coda doc links and get rich embedded content in articles. Nice feature. Fast to ship. Also a clean path to XSS once the implementation drifted from “embed a known provider” into “render whatever comes back.” The bug wasn’t exotic. No browser zero-day, no weird parser edge case. Just a familiar chain of bad decisions: ...

Formspree is a nice shortcut when you want form handling without running your own backend. I’ve used it for contact forms, waitlists, and simple lead capture. It removes a lot of backend work, but it does not remove frontend security work. If you collect user input and then render it anywhere in your app, you can still create an XSS bug just as easily as with a custom form handler. ...

Magento gives you plenty of ways to shoot yourself in the foot with XSS. That’s not a Magento-only problem. Any platform with PHP templates, admin-managed content, third-party modules, Knockout bindings, and a lot of custom theme work is going to collect XSS bugs like dust. Magento just makes it easy to hide them in places that look harmless during code review. If you build or maintain Magento stores, these are the mistakes I see most often, and how I’d fix them without turning every template into a mess. ...

Typeform is mostly a hosted form product, which makes people assume XSS is “their problem.” That’s only half true. If you embed Typeform into your app, pass user-controlled values into hidden fields, render Typeform responses in your own admin panel, or glue it together with custom JavaScript, XSS becomes your problem fast. I’ve seen teams lock down their main app and then casually inject Typeform data into dashboards with innerHTML. That’s how you end up with a boring form turning into a stored XSS source. ...

Squarespace is one of those platforms that feels pretty safe until you add “just a little custom code.” Then it turns into the same old web app problem: if untrusted content reaches the DOM or executable JavaScript, you can still end up with XSS. The good news: Squarespace reduces a lot of the obvious risk by controlling templates, editor workflows, and hosted infrastructure. The bad news: the moment you use Code Injection, custom blocks, third-party embeds, or sloppy client-side rendering, you can punch straight through those guardrails. ...