Bolt security

Missing Input Sanitization in Bolt App Forms

Your Bolt.new application accepts user input from forms, URL parameters, and API requests without validating or sanitizing it. This leaves your app vulnerable to cross-site scripting (XSS), HTML injection, data corruption, and other attacks that exploit unfiltered input.

When Bolt generates form handling code, it often passes user input directly to the database or renders it on the page without checking for malicious content. A user could submit a script tag in a comment field, an extremely long string that breaks your layout, or special characters that corrupt your data.

The consequences range from cosmetic issues (broken layouts) to critical security breaches (stolen user sessions, defaced pages, or unauthorized data access). This is one of the most common security gaps in AI-generated applications.

Error Messages You Might See

Warning: Each child in a list should have a unique key prop Content Security Policy violation: inline script blocked Unhandled Runtime Error: Objects are not valid as a React child XSS payload detected in input field
Warning: Each child in a list should have a unique key propContent Security Policy violation: inline script blockedUnhandled Runtime Error: Objects are not valid as a React childXSS payload detected in input field

Common Causes

  • No server-side validation — Form data is accepted and stored without checking type, length, or format on the backend
  • Using dangerouslySetInnerHTML — Bolt generated React components that render user content as raw HTML, enabling XSS
  • Client-only validation — Validation exists in the form component but not in the API route, so it can be bypassed with a direct API call
  • No Content Security Policy — Missing CSP headers allow injected scripts to execute freely
  • Rich text editors without sanitization — WYSIWYG editors that save and display raw HTML from users
  • URL parameters used directly — Query string values rendered on the page without escaping

How to Fix It

  1. Add server-side validation with Zod — Define strict schemas: const schema = z.object({ name: z.string().min(1).max(100), email: z.string().email() }); and validate every API input
  2. Never use dangerouslySetInnerHTML with user data — Replace it with regular JSX text rendering: {userComment} instead of dangerouslySetInnerHTML={{__html: userComment}}
  3. Install DOMPurify for HTML content — If you must render HTML, sanitize it: DOMPurify.sanitize(htmlContent, { ALLOWED_TAGS: ['p', 'b', 'i', 'a'] })
  4. Add Content-Security-Policy headers — Configure CSP to block inline scripts: Content-Security-Policy: default-src 'self'; script-src 'self'
  5. Validate on both client and server — Share Zod schemas between frontend forms and backend API routes for consistent validation

Real developers can help you.

Franck Plazanet Franck Plazanet I am a Strategic Engineering Leader with over 8 years of experience building high-availability enterprise systems and scaling high-performing technical teams. My focus is on bridging the gap between complex technology and business growth. Core Expertise: 🚀 Leadership: Managing and coaching teams of 15+ engineers, fostering a culture of accountability and continuous improvement. 🏗️ Architecture: Enterprise Core Systems, Multi-system Integration (ERP/API/ETL), and Core Database Structure. ☁️ Cloud & Scale: AWS Expert; architected systems handling 10B+ monthly requests and managing 100k+ SKUs. 📈 Business Impact: Aligning tech strategy with P&L goals to drive $70k+ in monthly recurring revenue. I thrive on "out-of-the-box" thinking to solve complex technical bottlenecks and am always looking for ways to use automation to improve business productivity. legrab legrab I'll fill this later Anthony Akpan Anthony Akpan Developer with 8 years of experience building softwares fro startups Pratik Pratik SWE with 15+ years of experience building and maintaining web apps and extensive BE infrastructure Matthew Jordan Matthew Jordan I've been working at a large software company named Kainos for 2 years, and mainly specialise in Platform Engineering. I regularly enjoy working on software products outside of work, and I'm a huge fan of game development using Unity. I personally enjoy Python & C# in my spare time, but I also specialise in multiple different platform-related technologies from my day job. Omar Faruk Omar Faruk As a Product Engineer at Klasio, I contributed to end-to-end product development, focusing on scalability, performance, and user experience. My work spanned building and refining core features, developing dynamic website templates, integrating secure and reliable payment gateways, and optimizing the overall system architecture. I played a key role in creating a scalable and maintainable platform to support educators and learners globally. I'm enthusiastic about embracing new challenges and making meaningful contributions. Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. Tejas Chokhawala Tejas Chokhawala Full-stack engineer with 5 years experience building production web apps using React, Next.js and TypeScript. Focused on performance, clean architecture and shipping fast. Experienced with Supabase/Postgres backends, Stripe billing, and building AI-assisted developer tools. Dor Yaloz Dor Yaloz SW engineer with 6+ years of experience, I worked with React/Node/Python did projects with React+Capacitor.js for ios Supabase expert Basel Issmail Basel Issmail ’m a Senior Full-Stack Developer and Tech Lead with experience designing and building scalable web platforms. I work across the full development lifecycle, from translating business requirements into technical architecture to delivering reliable production systems. My work focuses on modern web technologies, including TypeScript, Angular, Node.js, and cloud-based architectures. I enjoy solving complex technical problems and helping teams turn product ideas and prototypes into working platforms that can grow and scale. In addition to development, I often collaborate closely with product managers, business analysts, designers, and QA teams to ensure that solutions align with both technical and business goals. I enjoy working with startups and product teams where I can contribute both as a hands-on engineer and as a technical partner in designing and delivering impactful software.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

What is the difference between validation and sanitization?

Validation checks that input meets your requirements (correct format, length, type) and rejects bad input. Sanitization modifies input to remove dangerous content while keeping the data. You should do both: validate first, then sanitize what passes.

Does React protect against XSS automatically?

React's JSX auto-escapes content in curly braces ({variable}), which prevents most XSS. However, using dangerouslySetInnerHTML, creating elements via DOM APIs, or setting href/src attributes with user data can still introduce XSS vulnerabilities.

Related Bolt Issues

Environment Variables Exposed in Bolt Client Bundle

security

SQL Injection in Bolt AI-Generated Database Queries

security

Insecure Cookie Configuration in Bolt Application

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help