Replit
ui
XSS Vulnerability in Thymeleaf Templates
XSS attacks are possible through template injection. Attacker-controlled input executes JavaScript on victim's browser.
Improper escaping of user input in templates allows script execution.
Common Causes
- Using th:utext instead of th:text (unescaped)
- Raw HTML from database without sanitization
- User input directly in JavaScript context
- th:onclick, th:onhover with user data
How to Fix It
Always use th:text (escapes HTML). Use th:utext only for trusted content. Never put user input in script blocks or event handlers. Sanitize HTML with OWASP Java HTML Sanitizer. Use CSP (Content Security Policy) header. Test with OWASP ZAP.
Real developers can help you.
Matthew Jordan
I've been working at a large software company named Kainos for 2 years, and mainly specialise in Platform Engineering. I regularly enjoy working on software products outside of work, and I'm a huge fan of game development using Unity. I personally enjoy Python & C# in my spare time, but I also specialise in multiple different platform-related technologies from my day job.
Vlad Temian
15+ years shipping production infrastructure for startups. Former CTO at qed.builders (acquired by The Sandbox).
Cursor ambassador and agentic tooling builder.
I've scaled systems, automated deployments, and built observability tools for AI coding workflows. I specialize in taking vibe-coded apps from broken prototype to production-ready: fixing Supabase auth/RLS, Stripe integrations, deployment pipelines, and cleaning up AI-generated spaghetti.
I build tools in this space (agentprobe, claudebin, micode) and understand both sides: how AI generates code and why it breaks.
https://blog.vtemian.com/
Mehdi Ben Haddou
- Founder of Chessigma (1M+ users) & many small projects
- ex Founding Engineer @Uplane (YC F25)
- ex Software Engineer @Amazon and @Booking.com
Meïr Ankri
Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews.
Anthony Akpan
Developer with 8 years of experience building softwares fro startups
legrab
I'll fill this later
hanson1014
Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround.
Kingsley Omage
Fullstack software engineer passionate about AI Agents, blockchain, LLMs.
Jared Hasson
Full time lead founding dev at a cyber security saas startup, with 10 yoe and a bachelor's in CS. Building & debugging software products is what I've spent my time on for forever
ISHANTDEEP SINGH
Senior Software Engineer with 7+ years of experience in React, JavaScript, TypeScript, Next.js, and Node.js. I’ve also worked as a tech lead for startups, owning end-to-end technical execution including architecture, development, scaling, and delivery. I bring a strong mix of hands-on coding, product thinking, and technical leadership, and I’m comfortable building products from scratch as well as improving and scaling existing systems.
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
What's the difference between th:text and th:utext?
th:text escapes HTML (safe), th:utext outputs raw HTML (unsafe for user input)
How do I sanitize user-provided HTML?
Use OWASP Java HTML Sanitizer library with whitelist approach