xss
Safeguard articles tagged "xss" — guides, analysis, and best practices for software supply chain and application security.
31 articles
React and TypeScript security best practices for 2026
A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.
Preventing XSS in Django applications
Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.
XSS defaults and escape hatches: React, Vue, and Angular compared
All three major frameworks escape output by default, but each ships a named escape hatch that turns raw HTML back on — and only one sanitizes it automatically.
Preventing XSS in Java Spring and JSP applications
OWASP folded XSS into A03:2021-Injection, present in ~3.37% of tested apps — raw JSP EL output and a missing CSP header are still the two most common causes.
Where should your SPA store auth tokens?
OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.
Browser extensions are the softest target in your stack
A patched Grammarly bug let any website steal a user's documents; a 2025 flaw in Anthropic's Claude extension enabled silent prompt injection. Extensions keep failing the same three ways.
DOM clobbering: the XSS attack that never runs a script tag
DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.
Secure conditional rendering in React and Next.js Server Components
A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.
Preventing CSRF and XSS in ASP.NET Core
How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.
CVE-2024-22195: how Jinja2's xmlattr filter opened an XSS hole
A single filter in Jinja, xmlattr, could inject arbitrary HTML attributes and slip past autoescaping entirely — fixed in Jinja 3.1.3, tracked as CVE-2024-22195.
Content Security Policy (CSP) Explained (2026)
A Content Security Policy is your last line of defense against XSS. Here is how CSP works, why nonce-based strict policies beat allowlists, and how to deploy one without breaking your app.
JavaScript Security: The Common Pitfalls That Keep Burning Teams
The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.