Claude Code ui

XSS Vulnerability in Template Output

User-provided content displayed in template without escaping. Attacker can inject malicious JavaScript that executes in other users' browsers. Form submissions, comments, or user profiles become attack vectors.

Template renders user input directly, trusting it's safe when it's not.

Error Messages You Might See

XSS vulnerability detected in template Malicious script executed in user context Script injection through unsanitized output
XSS vulnerability detected in templateMalicious script executed in user contextScript injection through unsanitized output

Common Causes

  1. Raw HTML output without escaping: {{ userInput }} instead of properly escaped
  2. dangerouslySetInnerHTML or equivalent used without validation
  3. Server trust user input without sanitizing
  4. Missing Content Security Policy headers
  5. Frontend sanitization only, no backend validation

How to Fix It

Escape all user input by default. Use framework features: React auto-escapes, use innerText not innerHTML. Sanitize HTML: DOMPurify library on frontend. Backend validation required too. Use Content Security Policy header to block inline scripts. Never use dangerouslySetInnerHTML unless absolutely necessary and content is verified safe.

Real developers can help you.

hanson1014 hanson1014 Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround. Meïr Ankri Meïr Ankri Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews. Tejas Chokhawala Tejas Chokhawala Full-stack engineer with 5 years experience building production web apps using React, Next.js and TypeScript. Focused on performance, clean architecture and shipping fast. Experienced with Supabase/Postgres backends, Stripe billing, and building AI-assisted developer tools. Krishna Sai Kuncha Krishna Sai Kuncha Experienced Professional Full stack Developer with 8+ years of experience across react, python, js, ts, golang and react-native. Developed inhouse websearch tooling for AI before websearch was solved : ) Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. Luca Liberati Luca Liberati I work on monoliths and microservices, backends and frontends, manage K8s clusters and love to design apps architecture Antriksh Narang Antriksh Narang 5 years+ Experienced Dev (Specially in Web Development), can help in python, javascript, react, next.js and full stack web dev technologies. prajwalfullstack prajwalfullstack Hi Im a full stack developer, a vibe coded MVP to Market ready product, I'm here to help Prakash Prajapati Prakash Prajapati I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale. Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

How to prevent XSS in React?

React auto-escapes by default. Avoid: dangerouslySetInnerHTML. For HTML content, use DOMPurify: purify.sanitize(html)

What should be escaped?

All user input, especially from forms, URLs, file uploads. Escape: <, >, &, ", ' to &lt;, &gt;, etc.

What's Content Security Policy?

HTTP header restricts script execution: Content-Security-Policy: script-src 'self'. Blocks inline scripts and external URLs.

Related Claude Code Issues

UI Component Not Rendering After State Update

ui

CSS Styles Not Applied, Specificity Issue

ui

Form Validation Logic Partially Implemented

ui

Server-Side Template Syntax Errors

ui

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help