Claude Code
ui
XSS Vulnerability in Template Output
User-provided content displayed in template without escaping. Attacker can inject malicious JavaScript that executes in other users' browsers. Form submissions, comments, or user profiles become attack vectors.
Template renders user input directly, trusting it's safe when it's not.
Error Messages You Might See
XSS vulnerability detected in template
Malicious script executed in user context
Script injection through unsanitized output
Common Causes
- Raw HTML output without escaping: {{ userInput }} instead of properly escaped
- dangerouslySetInnerHTML or equivalent used without validation
- Server trust user input without sanitizing
- Missing Content Security Policy headers
- Frontend sanitization only, no backend validation
How to Fix It
Escape all user input by default. Use framework features: React auto-escapes, use innerText not innerHTML. Sanitize HTML: DOMPurify library on frontend. Backend validation required too. Use Content Security Policy header to block inline scripts. Never use dangerouslySetInnerHTML unless absolutely necessary and content is verified safe.
Real developers can help you.
Bastien Labelle
Full stack dev w/ 20+ years of experience
Stanislav Prigodich
15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it.
BurnHavoc
Been around fixing other peoples code for 20 years.
Meïr Ankri
Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews.
legrab
I'll fill this later
Nam Tran
10 years as fullstack developer
Costea Adrian
Embedded Engineer specilizing in perception systems. Latest project was a adas camera calibration system.
David Olverson
Solo dev shipping production apps with AI-assisted development. I specialize in rescuing broken Lovable/Bolt/Cursor builds and taking them to production. 10+ apps shipped including SaaS CRMs, gaming platforms, real estate tools, and Discord bots. Stack: Next.js 16, TypeScript, Tailwind CSS, FastAPI, PostgreSQL, Prisma. I use Claude Code with 50+ custom skills for rapid delivery. Average turnaround: 2-4 weeks from broken prototype to production.
Jacek Rozanski
Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004).
Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month.
What I bring to AI-built apps:
- I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0
- I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture)
- I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting
- I integrate external services: payment providers, email systems, partner APIs, SSO/auth
Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code.
Based in Poland (CET timezone). Available for async work and calls during EU/US business hours.
Sage Fulcher
Hey I'm Sage! Im a Boston area software engineer who grew up in South Florida. Ive worked at a ton of cool places like a telehealth kidney care startup that took part in a billion dollar merger (Cricket health/Interwell health), a boutique design agency where I got to work on a ton of exciting startups including a photography education app, a collegiate Esports league and more (Philosophie), a data analytics as a service startup in Cambridge (MA) as well as at Phillips and MIT Lincoln Lab where I designed and developed novel network security visualizations and analytics. I've been writing code and furiously devoted to using computers to make people’s lives easier for about 17 years. My degree is in making computers make pretty lights and sounds. Outside of work I love hip hop, the Celtics, professional wrestling, magic the gathering, photography, drumming, and guitars (both making and playing them)
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
How to prevent XSS in React?
React auto-escapes by default. Avoid: dangerouslySetInnerHTML. For HTML content, use DOMPurify: purify.sanitize(html)
What should be escaped?
All user input, especially from forms, URLs, file uploads. Escape: <, >, &, ", ' to <, >, etc.
What's Content Security Policy?
HTTP header restricts script execution: Content-Security-Policy: script-src 'self'. Blocks inline scripts and external URLs.