Safeguard
Tag

xss

Safeguard articles tagged "xss" — guides, analysis, and best practices for software supply chain and application security.

31 articles

Application Security

React and TypeScript security best practices for 2026

A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.

Jul 15, 20266 min read
Application Security

Preventing XSS in Django applications

Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.

Jul 14, 20266 min read
Application Security

XSS defaults and escape hatches: React, Vue, and Angular compared

All three major frameworks escape output by default, but each ships a named escape hatch that turns raw HTML back on — and only one sanitizes it automatically.

Jul 14, 20266 min read
Application Security

Preventing XSS in Java Spring and JSP applications

OWASP folded XSS into A03:2021-Injection, present in ~3.37% of tested apps — raw JSP EL output and a missing CSP header are still the two most common causes.

Jul 13, 20266 min read
Application Security

Where should your SPA store auth tokens?

OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.

Jul 10, 20266 min read
Application Security

Browser extensions are the softest target in your stack

A patched Grammarly bug let any website steal a user's documents; a 2025 flaw in Anthropic's Claude extension enabled silent prompt injection. Extensions keep failing the same three ways.

Jul 8, 20267 min read
Application Security

DOM clobbering: the XSS attack that never runs a script tag

DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.

Jul 8, 20266 min read
Application Security

Secure conditional rendering in React and Next.js Server Components

A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.

Jul 8, 20266 min read
Security Guides

Preventing CSRF and XSS in ASP.NET Core

How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.

Jul 7, 20266 min read
Application Security

CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole

A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.

Jul 7, 20266 min read
Security Guides

Content Security Policy (CSP) Explained (2026)

A Content Security Policy is your last line of defense against XSS. Here is how CSP works, why nonce-based strict policies beat allowlists, and how to deploy one without breaking your app.

Jul 4, 20266 min read
Security Guides

JavaScript Security: The Common Pitfalls That Keep Burning Teams

The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.

Jul 2, 20265 min read
xss — Safeguard Blog