Claude Code ui

XSS Vulnerability in Template Output

User-provided content displayed in template without escaping. Attacker can inject malicious JavaScript that executes in other users' browsers. Form submissions, comments, or user profiles become attack vectors.

Template renders user input directly, trusting it's safe when it's not.

Error Messages You Might See

XSS vulnerability detected in template Malicious script executed in user context Script injection through unsanitized output
XSS vulnerability detected in templateMalicious script executed in user contextScript injection through unsanitized output

Common Causes

  1. Raw HTML output without escaping: {{ userInput }} instead of properly escaped
  2. dangerouslySetInnerHTML or equivalent used without validation
  3. Server trust user input without sanitizing
  4. Missing Content Security Policy headers
  5. Frontend sanitization only, no backend validation

How to Fix It

Escape all user input by default. Use framework features: React auto-escapes, use innerText not innerHTML. Sanitize HTML: DOMPurify library on frontend. Backend validation required too. Use Content Security Policy header to block inline scripts. Never use dangerouslySetInnerHTML unless absolutely necessary and content is verified safe.

Real developers can help you.

Alvin Voo Alvin Voo I’ve watched the tech landscape evolve over the last decade—from the structured days of Java Server Pages to the current "wild west" of Agentic-driven development. While AI can "vibe" a frontend into existence, I specialize in the architecture that keeps it from collapsing. My expertise lies in the critical backend infrastructure: the parts that must be fast, secure, and scalable. I thrive on high-pressure environments, such as when I had only three weeks to architect and launch an Ethereum redemption system with minimal prior crypto knowledge, turning it into a major revenue stream. What I bring to your project: Forensic Debugging: I don't just "patch" bugs; I use tools like Datadog and Explain Analyzers to map out bottlenecks and resolve root causes—like significantly reducing memory usage by optimizing complex DB joins. Full-Stack Context: Deep experience in Node.js and React, ensuring backends play perfectly with mobile and web teams. Sanity in the Age of AI: I bridge the gap between "best practices" and modern speed, ensuring your project isn't just built fast, but built to last. David Olverson David Olverson Solo dev shipping production apps with AI-assisted development. I specialize in rescuing broken Lovable/Bolt/Cursor builds and taking them to production. 10+ apps shipped including SaaS CRMs, gaming platforms, real estate tools, and Discord bots. Stack: Next.js 16, TypeScript, Tailwind CSS, FastAPI, PostgreSQL, Prisma. I use Claude Code with 50+ custom skills for rapid delivery. Average turnaround: 2-4 weeks from broken prototype to production. Jacek Rozanski Jacek Rozanski Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004). Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month. What I bring to AI-built apps: - I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0 - I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture) - I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting - I integrate external services: payment providers, email systems, partner APIs, SSO/auth Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code. Based in Poland (CET timezone). Available for async work and calls during EU/US business hours. Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap. Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. MFox MFox Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking. Omar Faruk Omar Faruk As a Product Engineer at Klasio, I contributed to end-to-end product development, focusing on scalability, performance, and user experience. My work spanned building and refining core features, developing dynamic website templates, integrating secure and reliable payment gateways, and optimizing the overall system architecture. I played a key role in creating a scalable and maintainable platform to support educators and learners globally. I'm enthusiastic about embracing new challenges and making meaningful contributions. legrab legrab I'll fill this later Richard McSorley Richard McSorley Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures. Jen Jacobsen Jen Jacobsen I’m a Full-Stack Developer with over 10 years of experience building modern web and mobile applications. I enjoy working across the full product lifecycle — turning ideas into real, well-built products that are intuitive for users and scalable for businesses. I particularly enjoy building mobile apps, modern web platforms, and solving complex technical problems in a way that keeps systems clean, reliable, and easy to maintain.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

How to prevent XSS in React?

React auto-escapes by default. Avoid: dangerouslySetInnerHTML. For HTML content, use DOMPurify: purify.sanitize(html)

What should be escaped?

All user input, especially from forms, URLs, file uploads. Escape: <, >, &, ", ' to &lt;, &gt;, etc.

What's Content Security Policy?

HTTP header restricts script execution: Content-Security-Policy: script-src 'self'. Blocks inline scripts and external URLs.

Related Claude Code Issues

UI Component Not Rendering After State Update

ui

CSS Styles Not Applied, Specificity Issue

ui

Form Validation Logic Partially Implemented

ui

Server-Side Template Syntax Errors

ui

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help