Cross-site scripting in PHP usually happens because someone escaped the wrong thing, in the wrong place, at the wrong time. I’ve seen teams add htmlspecialchars() everywhere and still ship XSS. Not because the function is bad, but because XSS prevention is context-sensitive. A value that is safe in HTML text is not automatically safe in an attribute, a JavaScript string, or a URL. If you remember one rule, make it this one: ...
ServiceNow is one of those platforms where people assume the framework will save them. Sometimes it does. Sometimes it absolutely does not. I’ve seen teams build solid workflows, ACLs, and integrations, then quietly ship stored XSS through a widget, a Jelly page, or a badly handled g_form.addInfoMessage() call. The dangerous part is that ServiceNow mixes platform abstractions with plain old web rendering. If user-controlled data lands in HTML, JavaScript, or the DOM without the right encoding, you still have the same browser-side problem you’d have in any other app. ...
Cross-site scripting in Basin usually shows up the same way it does everywhere else: user-controlled data gets treated like HTML, JavaScript, or a URL in the browser. Basin doesn’t magically create XSS, but it can absolutely become the place where unsafe input is collected, stored, and later rendered back into your app. If you use Basin for forms, contact submissions, comments, support requests, or admin dashboards, you need to assume every field is hostile. Name, email, subject, message, hidden inputs, query params copied into forms — all of it. ...
Airtable embeds feel harmless. Paste an iframe, ship the feature, move on. That’s exactly why they deserve scrutiny. If you embed Airtable views, forms, or shared interfaces into your app, you’re pulling third-party content into a trusted page. That doesn’t automatically mean “instant XSS,” because iframes do create a boundary. But I’ve seen teams treat that boundary as stronger than it really is, then poke holes in it with permissive sandbox settings, weak CSP, sloppy postMessage handlers, or custom wrappers that turn untrusted data into DOM. ...
Cross-site scripting is one of those vulnerabilities that never really goes away. We get better frameworks, safer templating, stricter defaults, and still XSS shows up in bug bounty reports every day. The reason is simple: if an attacker can get the browser to execute JavaScript you didn’t intend to run, they can often act as the user, steal data, or pivot deeper into your app. Content Security Policy, or CSP, is one of the few browser features that can meaningfully reduce the blast radius of XSS. It is not a silver bullet. It will not magically fix unsafe HTML rendering. But a good CSP can turn “one bad escaping bug equals account takeover” into “the payload just doesn’t run.” ...
Cross-site scripting prevention gets a lot harder than it should because people hear “sanitize input” and stop there. That’s not enough. If you remember one thing from this tutorial, make it this: XSS is prevented at output time, based on the exact context where data is rendered. Output encoding is the boring, reliable workhorse of XSS defense. It’s not flashy, but it’s the thing that stops untrusted data from turning into executable HTML, JavaScript, or CSS in the browser. ...
Cross-site scripting is one of those vulnerabilities that keeps showing up because it’s fundamentally simple: untrusted data ends up in a place where the browser treats it as code. But “XSS” isn’t just one thing. In practice, you’ll usually hear about three flavors: Reflected XSS Stored XSS DOM-based XSS They all end with attacker-controlled JavaScript running in a victim’s browser, but the way the payload gets there matters a lot for both exploitation and prevention. ...
Cross-site scripting, usually shortened to XSS, is one of those web security bugs that sounds old-school but still shows up everywhere. If you build web apps that display user-controlled content, you need to understand it. Not just the definition, but how it actually happens in real code. The short version: XSS happens when an attacker gets your site to treat untrusted input as executable code in the browser. Usually that means JavaScript, but the real issue is broader than “someone injected a script tag.” The browser is parsing HTML, attributes, URLs, CSS, and script contexts differently, and if you put user data into the wrong place without the right protection, the attacker can make the page do things you never intended. ...
Cross-site scripting in React and Next.js is one of those topics that sounds simpler than it really is. A lot of developers hear “React escapes output by default” and mentally file XSS away as mostly solved. That’s true right up until you touch dangerouslySetInnerHTML, render CMS content, build a markdown feature, pass untrusted values into URLs, or mix server and client rendering in ways that make assumptions drift. The good news: React and Next.js give you a strong baseline. The bad news: they do not make you XSS-proof automatically. ...