xss-prevention
Safeguard articles tagged "xss-prevention" — guides, analysis, and best practices for software supply chain and application security.
10 articles
React security best practices: stopping XSS, dangerouslySetInnerHTML, and dependency risk
React auto-escapes JSX text by default, but dangerouslySetInnerHTML, href injection, and a 500-package npm worm show where that protection stops.
Single-Page Application Security: Tokens, XSS, and the Public Bundle
In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.
Angular Security Best Practices: Trusting the Sanitizer, Not Bypassing It
Angular sanitizes bindings by default — until a developer calls bypassSecurityTrustHtml. Here is how Angular's security model works and where teams break it.
Vue Security Best Practices: v-html, Dynamic Components, and SSR
Vue escapes mustache templates automatically, but v-html, dynamic component names, and SSR hydration open real XSS holes. Here is how to close them.
React Security Best Practices: A Practical Checklist for 2026
React escapes JSX text for you, but XSS sinks, secrets in the client bundle, token storage, and a 500-package npm worm are still yours to handle.
10 React security best practices
Real CVEs, real npm supply chain hijacks, and the concrete React practices — from CSP to token storage — that actually stop them.
6 Angular security best practices cheat sheet
A six-part cheat sheet on Angular security: sanitizer limits, AngularJS EOL, dependency risk, token storage, CSP nonces, and library auditing.
Comparing React and Angular secure coding practices
React auto-escapes JSX but not URLs; Angular sanitizes by context but allows explicit bypasses. Here's where each framework's XSS defenses actually stop.
5 best practices for React with TypeScript security
TypeScript's type system stops at compile time. Five concrete practices — with real CVEs and incidents — for securing React + TypeScript apps against what it misses.
CSP Bypass Techniques and Prevention: Beyond the Basics
Content Security Policy is the strongest browser-side defense against XSS. But most CSP deployments are bypassable. Here is why, and how to fix it.