Safeguard
Tag

xss-prevention

Safeguard articles tagged "xss-prevention" — guides, analysis, and best practices for software supply chain and application security.

10 articles

Application Security

React security best practices: stopping XSS, dangerouslySetInnerHTML, and dependency risk

React auto-escapes JSX text by default, but dangerouslySetInnerHTML, href injection, and a 500-package npm worm show where that protection stops.

Jul 11, 20266 min read
Security Guides

Single-Page Application Security: Tokens, XSS, and the Public Bundle

In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.

Jul 7, 20265 min read
Security Guides

Angular Security Best Practices: Trusting the Sanitizer, Not Bypassing It

Angular sanitizes bindings by default — until a developer calls bypassSecurityTrustHtml. Here is how Angular's security model works and where teams break it.

Jul 2, 20265 min read
Security Guides

Vue Security Best Practices: v-html, Dynamic Components, and SSR

Vue escapes mustache templates automatically, but v-html, dynamic component names, and SSR hydration open real XSS holes. Here is how to close them.

Jul 2, 20265 min read
Security Guides

React Security Best Practices: A Practical Checklist for 2026

React escapes JSX text for you, but XSS sinks, secrets in the client bundle, token storage, and a 500-package npm worm are still yours to handle.

Jul 1, 20265 min read
Application Security

10 React security best practices

Real CVEs, real npm supply chain hijacks, and the concrete React practices — from CSP to token storage — that actually stop them.

May 26, 20268 min read
Application Security

6 Angular security best practices cheat sheet

A six-part cheat sheet on Angular security: sanitizer limits, AngularJS EOL, dependency risk, token storage, CSP nonces, and library auditing.

May 26, 20267 min read
Application Security

Comparing React and Angular secure coding practices

React auto-escapes JSX but not URLs; Angular sanitizes by context but allows explicit bypasses. Here's where each framework's XSS defenses actually stop.

May 26, 20269 min read
Application Security

5 best practices for React with TypeScript security

TypeScript's type system stops at compile time. Five concrete practices — with real CVEs and incidents — for securing React + TypeScript apps against what it misses.

May 23, 20266 min read
Application Security

CSP Bypass Techniques and Prevention: Beyond the Basics

Content Security Policy is the strongest browser-side defense against XSS. But most CSP deployments are bypassable. Here is why, and how to fix it.

Jan 12, 20235 min read
xss-prevention — Safeguard Blog